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Abstract. Global types are formal specifications that describe communication protocols 
in terms of their global interactions. We present a new, streamlined language of global 
types equipped with a trace-based semantics and whose features and restrictions are se- 
mantically justified. The multi-party sessions obtained projecting our global types enjoy 
a liveness property in addition to the traditional progress and are shown to be sound and 
complete with respect to the set of traces of the originating global type. Our notion of com- 
pleteness is less demanding than the classical ones, allowing a multi-party session to leave 
out redundant traces from an underspecified global type. In addition to the technical con- 
tent, we discuss some limitations of our language of global types and provide an extensive 
comparison with related specification languages adopted in different communities. 



1. Introduction 

Relating the global specification of a system of communicating entities with an implemen- 
tation (or description) of the single entities is a standard problem in many different areas 
of computer science. The recent development of session-oriented interactions has renewed 
the interest in this problem. In this work we attack it from the behavioral type and process 
algebra perspectives and briefly compare the approaches used in other areas. 

A (multi-party) session is a place of interaction for a restricted number of participants 
that communicate messages. The interaction may involve the exchange of arbitrary se- 
quences of messages of possibly different types. Sessions are restricted to a (usually fixed) 
number of participants, which makes them suitable as a structuring construct for systems of 
communicating entities. In this work we define a language to describe the interactions that 
may take place among the participants implementing a given session. In particular, we aim 
at a definition based on few "essential" assumptions that should not depend on the way each 
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single participant is implemented. To give an example, a bargaining protocol that includes 
two participants, "seller" and "buyer", can be informally described as follows: 

Seller sends buyer a price and a description of the product; then buyer sends 
seller acceptance or it quits the conversation. 

If we abstract from the value of the price and the content of the description sent by the 
seller, this simple protocol describes just two possible executions, according to whether the 
buyer accepts or quits. If we consider that the price and the description are in distinct mes- 
sages then the possible executions become four, according to which communication happens 
first. While the protocol above describes a finite set of possible interactions, it can be easily 
modified to accommodate infinitely many possible executions, as well as additional conver- 
sations: for instance the protocol may allow "buyer" to answer "seller" with a counteroffer, 
or it may interleave this bargaining with an independent bargaining with a second seller. 

All essential features of protocols are in the example above, which connects some basic 
communication actions by the flow control points we underlined in the text. More generally, 
we interpret a protocol as a possibly infinite set of finite sequences of interactions between 
a fixed set of participants. We argue that the sequences that characterize a protocol — and 
thus the protocol itself — can be described by a language with one form of atomic action and 
three composition operators. 

Atomic actions: The only atomic action is the interaction, which consists of one (or 
more) sender(s) {e.g., "seller sends"), the content of the communication {e.g., "a price", "a 
description", "acceptance"), and one (or more) receiver (s) {e.g., "buyer"). 
Compound actions: Actions and, more generally, protocols can be composed in three 
different ways. First, two protocols can be composed sequentially {e.g., "Seller sends buyer 
a price. . . ; then buyer sends. . . ") thus imposing a precise order between the actions of 
the composed protocols. Alternatively, two protocols can be composed without specifying 
any constraint {e.g., "Seller sends a price and (sends) a description") thus indicating that 
any order between the actions of the composed protocols is acceptable. Finally, protocols 
can be composed in alternative {e.g., "buyer sends acceptance or it quits"), thus offering 
a choice between two or more protocols only one of which may be chosen. 

More formally, we use p — > q to state that participant p sends participant q a message 
whose content is described by a, and we use « ; », « A », and « V » to denote sequential, 
unconstrained, and alternative composition, respectively. Our initial example can thus be 
rewritten as follows: 

, descr Am ^"'^f v, ^ 

(seller — )• buyer A seller — )■ buyer); , s 

, accept quit , \ ■ I 

(buyer — > seller V buyer — > seller) 

The first two actions are composed without constraints, and they are to be followed by 
one (and only one) action of the alternative before ending. Interactions of unlimited length 
can be defined by resorting to a Kleene star notation. For example to extend the previous 
protocol so that the buyer may send a counter-offer and wait for a new price, it suffices to 
add a Kleene-starred line: 

, descr a m P"'^? -u \ 

(seller — t- buyer A seller — t- buyer); 



, offer price , /I o\ 

(buyer — > seller; seller — > buyer)*; U-^J 

, accept quit , 

(buyer — > seller V buyer — > seller) 
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The description above states that, after having received (in no particular order) the price 
and the description from the seher, the buyer can initiate a loop of zero or more interactions 
and then decide whether to accept or quit. 

Whenever there is an alternative there must be a participant that decides which path 
to take. In both examples it is buyer that makes the choice by deciding whether to send 
accept or quit. The presence of a participant that decides holds true in loops too, since it is 
again buyer that decides whether to enter or repeat the iteration (by sending offer) or to 
exit it (by sending accept or quit). We will later show that absence of such decision-makers 
makes protocols impossible to implement. This last point critically depends on the main 
hypothesis we assume about the systems we are going to the describe, that is the absence of 
covert channels. On the one hand, we try to develop a protocol description language that 
is as generic as possible; on the other hand, we limit the power of the system and require 
all communications between different participants to be explicitly stated. In doing so we 
rule out protocols whose implementation essentially relies on the presence of secret /invisible 
communications between participants: a protocol description must contain all and only the 
interactions used to implement it. 

Protocol specifications such as the ones presented above are usually called global types 
to emphasize the fact that they describe the acceptable behaviors of a system from a global 
point of view. In an actual implementation of the system, though, each participant au- 
tonomously implements a different part of the protocol. To understand whether an imple- 
mentation satisfies a specification, one has to consider the set of all possible sequences of 
synchronizations performed by the implementation and check whether this set satisfies five 
basic properties: 

(1) Sequentiality: if the specification states that two interactions must occur in a given 
order (by separating them by a « ; »), then this order must be respected by all possible 
executions. So an implementation in which buyer may send accept before receiving price 
violates the specification (jl.ip (and (jl.2p ). 

(2) Alternativeness: if the specification states that two interactions are alternative, then 
every execution must exhibit one and only one of these two actions. So an implementa- 
tion in which buyer emits both accept and quit (or none of them) in the same execution 
violates the specification (II. Ih . 

(3) Shuffling: if the specification composes two sequences of interactions in an unconstrained 
way, then all executions must exhibit some shuffling (in the sense used in combinatorics 
and algebra) of these sequences. So an implementation in which seller emits price 
without emitting descr violates the specification (II. ip . 

(4) Fitness: if the implementation exhibits a sequence of interactions, then this sequence 
is expected by (i.e., it fits) the specification. So any implementation in which seller 
sends buyer any message other than price and descr violates the specification (II. ip . 

(5) Exhaustivity: if some sequence of interactions is described by the specification, then 
there must exist at least an execution of the implementation that exhibits these actions 
(possibly in a different order). So an implementation in which no execution of buyer 
emits accept violates the specification (II. ip . 

Checking whether an implemented system satisfies a specification by comparing the actual 
and the expected sequences of interactions is non-trivial, for systems are usually infinite- 
state. Therefore, on the lines of |HYC08| . we proceed the other way round: we extract 
from a global type the local specification (usually dubbed local type or session type [THK94( 
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IHVK98| ) of each participant in the system and we type-check the implementation of each 
participant against the corresponding session type. If the projection operation is done 
properly and the global specification satisfies some well-formedness conditions, then we are 
guaranteed that the implementation satisfies the specification. As an example, the global 
type (jl.ip can be projected to the following behaviors for buyer and seller: 

buyer! descr.buyer Iprzce. (buyer? accepi + huyer? quit) 
seller?descr.seller?price.{sellerlaccept © sellezlquit) 

or to 

buyerlprice.buyer! descr. (buyer? accepi + huyer? quit) 
seller7price.seller?descr.{seller\accept © sellezlquit) 

where p!a denotes the output of a message a to participant p, p?a the input of a message a 
from participant p, p?a.T + q?b.S the (external) choice to continue as T or S according to 
whether a is received from p or b is received from q and, finally, pla.T © qlb.S denotes the 
(internal) choice between sending a to p and continue as T or sending 6 to q and continue as 
S. We will call session environments the mappings from participants to their session types. 
It is easy to see that any two processes implementing buyer and seller will satisfy the global 
type (jl.ip if and only if their visible behavior matches one of the two session environments 
above (these session environments thus represent some sort of minimal typings of processes 
implementing buyer and seller). In particular, both the above session environments are 
fitting and exhaustive with respect to the specification since they precisely describe what 
the single participants are expected and bound to do. 

In this work we will discuss how to characterize a set of session environments (if any) 
from participants to session types that is sound and complete, with respect to a given global 
type. We will also show an algorithm that, in several practical cases, can effectively perform 
the extraction of the session environment from a global type. Observe that there are global 
types that are intrinsically fiawed, in the sense that they do not admit any implementation 
(without covert channels) satisfying them. We classify fiawed global types in three categories, 
according to the seriousness of their fiaws. 
No sequentiality: The mildest fiaws are those in which the global type specifies some 

sequentiality constraint between independent interactions, such as in (p — > q;r — > s), 
since it is impossible to implement r so that it sends b only after that q has received a 
(unless this reception is notified on a covert channel, of course). Therefore, it is possible 
to find exhaustive (but not fitting) implementations that include some unexpected se- 
quences which differ from the expected ones only by a permutation of interactions done 
by independent participants. The specification at issue can be easily patched by replacing 
some « ; »'s by « A»'s. 
No knowledge for choice: A more severe kind of fiaw occurs when the global type requires 
some participant to behave in different ways in accordance with some choice it is unaware 
of. For instance, in the global type 

(P — ^q;q — ^r;r — >p) V (p — ^q;q — ^r;r — ^ p) 

participant p chooses the branch to execute, but after having received a from q participant 
r has no way to know whether it has to send a or b. Also in this case it is possible to find 
exhaustive (but not fitting) implementations of the global type where the participant r 
chooses to send a ox b independently of what p decided to do. 
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No knowledge, no choice: In the worst case it is not possible to find an exhaustive 
implementation of the global type, for it specifies some combination of incompatible 
behaviors, such as performing an input or an output in mutual exclusion. This typically 
is the case of the absence of a decision-maker in the alternatives such as in 

p — ^qvq — ^p 

where each participant is required to choose between sending or receiving. There seems 
to be no obvious way to patch these global types without reconsidering also the intended 
semantics. 
We conclude this introduction by stressing that in this work we focus on single sessions. The 
participants of a system can concurrently implement and bring forward different sessions but 
we suppose the management of different sessions {e.g., the exchange of sessions channels) to 
belong to the meta-level. The internalization of such a level (i.e., the use of delegation) is 
left for future work (see Section I7.3.ip . 

Outline and contributions. We introduce a streamlined language of global specifications — 
that we dub global types (Section [2]) — and relate it with session environments (Section [3]), 
that is, with sets of independent, sequential, asynchronous session types to be type-checked 
against implementations. Global types are just regular expressions augmented with a shuf- 
fling operator and their semantics is defined in terms of finite sequences of interactions. The 
semantics chosen for global types ensures that every implementation of a global type pre- 
serves the possibility to reach a state where every participant has successfully terminated. 
This implies that no participant of a multi-party session starves waiting for messages that 
are never sent or sends messages that no other participant will ever receive. This property 
is stronger than the progress enforced by other theories of multi-party sessions, where it is 
enough that two participants synchronize to be able to say that the session has progress. 
Technically, we make a strong fairness assumption on sessions by considering only fair com- 
putations, those where infinitely often enabled transitions occur infinitely often. 

In Section [J] we study the relationship between global types and sessions. We do so by 
defining a projection operation that extracts from a global type all the (sets of) possible 
session types of its participants. This projection is useful not only to check the imple- 
mentability of a global description (and, incidentally, to formally define the notions of errors 
informally described so far) but, above all, to relate in a compositional and modular way a 
global type with the sets of distributed processes that implement it. We also identify a class 
of well- formed global types whose projections need no covert channels. Interestingly, we are 
able to effectively characterize well-formed global types solely in terms of their semantics. 

In Section [5] we present a projection algorithm for global types. The effective generation 
of all possible projections is impossible. The reason is that the project ability of a global type 
may rely on some global knowledge that is no longer available when working at the level of 
single session types: while in a global approach we can, say, add to some participant new 
synchronization offers that, thanks to our global knowledge, we know will never be used, this 
cannot be done when working at the level of single participant. Therefore in order to work 
at the projected level we will use stronger assumptions that ensure a sound implementation 
in all possible contexts. 

In Section [6] we show some limitations deriving from the use of the Kleene star operator 
in our language of global types, and we present one possible way to circumvent them. 
Section [7] contains an extended survey of related work, with samples of the literature of 
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session types and session choreography expressed in our syntax and an in-depth comparison 
with our work. Few final considerations conclude the work in Section [8j The Appendix 
contains proofs and some technical discussions. 

We summarize the contributions of our work below: 

• With respect to (multi-party) session type theories |HYC08| . we adopt a more abstract 
and — we claim — natural language of global types (Section [2]) that is closely related to the 
language of Web service choreographies in [BZ07] . We define a notion of session correctness 
that depends on a strong fairness assumption. On the one hand, this is more demanding 
than in other multi-party session theories because we insist on the property that a correct 
session must preserve the ability to reach a terminated state; on the other hand, we claim 
that eventual termination is indeed a desirable property of sessions, and we provide a 
number of examples showing that, if the hypothesis of an eventual termination of every 
session is assumed, our formalism allows for a range of projectable global specifications 
that is strictly larger than that other formalisms, under the same assumption, have. 

• With respect to Web service choreography languages |BZ07| ILGMZ081 IBZ08| IBLZ08| . 
where projection is defined by an homomorphism between the global and the local spec- 
ifications, we define a significantly more sophisticated projection procedure (Sections [J] 
and [5]) with two main upshots. First, we handle the projection of unconstrained composi- 
tion of global specifications in a more flexible way, by permitting (partial) serialization of 
independent activities whenever this is either convenient or necessary. Second, we widen 
the range of projectable choreographies by imposing fewer constraints on the way alterna- 
tive specifications can be composed together. We also point out some shortcomings of the 
Kleene star operator and propose a solution based on /c-exit iterations that circumvents 
them (Section [6]). 

• In order to account for the possible serializations of independent activities, we identify 
an original notion of completeness (Definition 14. ip of projections with respect to global 
specifications that is weaker (and consequently more flexible) than the corresponding 
notions in other theories. 

• Section [7] provides a rather detailed survey of a wide range of related formalisms and 
techniques. 

2. Global Types 

In this section we define the syntax and semantics of global types. We assume a set s^ of 
message types, ranged over by a, 6, . . . , and a set n of roles, ranged over by p, q, . . . , which 
we use to uniquely identify the participants of a session; we let vr, . . . range over non-empty, 
finite sets of roles. 

Global types, ranged over by ?^, are the terms generated by the grammar in Table [TJ 
Their syntax was already explained in Section [T] except for two novelties. First, we include 
a skip atom which denotes the unit of sequential composition (it plays the same role as 
the empty word in regular expressions). This is useful, for instance, to express optional 
interactions. Thus, if in our example we want the buyer to do at most one counteroffer 
instead of several ones, we just replace the starred line in (|1.2p by 



, offer price , . . 

(buyer — > seller; seller — > buyer) V skip 
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Table 1: Syntax 


of global types. 


^ ::= 


Global Type 


skip 


(skip) 


1 a 

\ '^ ^ P 


(interaction) 


^;^ 


(sequence) 


?^A^ 


(both) 


^y^ 


(either) 


1 ^* 


(star) 



which, using syntactic sugar of regular expressions, might be rendered as 

(buyer — > seller; seller — > buyer)? 

Second, we generalize interactions by allowing a finite set of roles on the l.li.s. of 
interactions. Therefore, vr — > p denotes the fact that (the participant identified by) p waits 
for an a message from all of the participants whose tags are in vr. We will write p — > q 
as a shorthand for {p} — > q. An example showing the usefulness of multiple roles on the 
left-hand side of actions is the following one 

, price mortgage > 

(seller — )• buyer 1 A bank — > buyer2); 

QiCCG7)t OiCCGVi 

({buyerl,buyer2} —^ seller A {buyer l,buyer2} — ^ bank) 

which represents two buyers waiting for both the price from a seller and the mortgage from a 
bank before deciding the purchase. Notice that without this generalization the communica- 
tion of accept to, say, the seller would be performed by two distinct communications from 
buyerl and buyer2. But in that case, how could buyerl be sure that buyer2 had received 
mortgage before sending accept to seller? And symmetrically, how could buyer2 be sure 
that buyerl had received price before sending accept to seller? Actions with multiple- 
senders allow us to express the join of independent activities (in this case, the receival of 
price and mortgage). 

To be as general as possible, one could also consider interactions of the form vr — > vr', 
which could be used to specify broadcast communications between participants. We avoided 
this generalization since it cannot be implemented without covert channels. In fact in a sound 
execution of 

price f -, 

seller — > {buyerl, buyer2|, 
the reception of price by buyerl should wait also for the reception of price by buyer2 and 
vice versa, and this requires a synchronization between buyerl and buyer 2. 

In general we will assume p ^ vr for every interaction vr — > p occurring in a global type, 
that is, we forbid participants to send messages to themselves. 

For the sake of readability we adopt the following precedence of global type operators 
— >* ; AV. 

Global types denote languages of legal interactions that can occur in a multi-party 
session. These languages are defined over the alphabet of interactions 

S = {vr -^ p I vr Cfin n, p G n, p ^ vr, a G 
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and we use a as short for vr — > p when possible; we use ip, ip, ... to range over strings in 
S* and e to denote the empty string, as usual. To improve readability we will occasionally 
use « ; » to denote string concatenation. 

In order to express the language of a global type having the shape ^i A §^2 we need a 
standard shuffling operator over languages, which can be defined as follows: 

Definition 2.1 (shuffling). The shuffle of Li and L2, denoted by Li LUL2, is the language 

def 

defined by: Li lu L2 = {ifiipi ■ ■ ■ ifnipn | y^i ■ ■ ■ y?„ S Li A ■01 • • • V'n G -^2}- 

Observe that, in L1LUL2, the order of interactions coming from one language is preserved, 
but these interactions can be interspersed with other interactions coming from the other 
language. 

Definition 2.2 (traces of global types). The set of traces of a global type is inductively 
defined by the following equations: 

tr(skip) = {e} tr(5^i;^2) = tr(^i)tr(^2) tr(^i V ^2) = tr(5^i) U tr(?f2) 

tr(7r ^ p) = {^ ^ p} tr(^*) = (tr(^))* tr(«fi A ^2) = tr(§^i) mtr(^2) 

where juxtaposition denotes concatenation and (•)* is the usual Kleene closure of regular 
languages. 

Before we move on, it is worth noting that tr(l^) is a regular language (recall that 
regular languages are closed under shuffling). Since a regular language is made of finite 
strings, we are implicitly making the assumption that a global type specifies interactions of 
finite length. This means that we are considering interactions of arbitrary length, but such 
that the termination of all the involved participants is always within reach. This is a subtle, 
yet radical change from other multi-party session theories, where infinite interactions are 
considered legal. 

By way of example, consider the global type 

^ = (p ^qAp — ^q);(q-^p;p — ^q)*;(q — ^ p V q -^ p) 

which represents the bargain protocol described in the introduction. Every long enough 
string in tr(^) has either the form 

V';q-^p;p — ^q;---;q — ^p or V;q-^p;p — ^q;---;q^p 

for some appropriate ip, meaning that the phase in which the buyer makes new offers can 
be arbitrarily long, although it must eventually terminate with the decision to either quit 
or accept. 
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Table 2: Syntax of pre-session types. 



T :: 


^ 


Pre-Session Type 




end 


(termination) 




X 


(variable) 




p!a.r 


(output) 




7r?a.r 


(input) 




T®T 


(internal choice) 




T + T 


(external choice) 




rec XT 


(recursion) 



3. Multi-Party Sessions 

We devote this section to the formal definition of the behavior of the participants of a 
multi-party session. 



3.1. Session Types. We need an infinite set of recursion variables ranged over by X, .... 
Pre-session types, ranged over by T, S", . . . , are the terms generated by the grammar in 
Table [2] such that all recursion variables are guarded by at least one input or output prefix. 
We consider pre-session types modulo associativity, commutativity, and idempotence of 
internal and external choices, fold/unfold of recursions and the equalities 

p!a.T e p!a.5 = p!a.(r S) irla.T + irla.S = TT?a.{T + 5) 

Pre-session types are behavioral descriptions of the participants of a multi-party session. 
Informally, end describes a successfully terminated party that no longer participates to a 
session. The pre-session type p!a.T describes a participant that sends an a message to 
participant p and afterwards behaves according to T; the pre-session type nla.T describes a 
participant that waits for an a message from all the participants in vr and, upon arrival of the 
message, behaves according to T; we will usually abbreviate {pjTa.T with p?a.T. Behaviors 
can be combined by means of behavioral choices © and -|-: T (B S describes a participant 
that internally decides whether to behave according to T or 5; T-|-5 describes a participant 
that offers to the other participants two possible behaviors, T and S. The choice as to which 
behavior is taken depends on the messages sent by the other participants. In the following, 
we sometimes use n-ary versions of internal and external choices and write, for example, 

0"=i Pi^-ai-Ti for piIai.Ti © • • • © p„!a„.r„ and Y17=i T^i^-o-i-Ti for 7ri?ai.Ti H h 7r„?a„.r„. 

As usual, terms X and rec X.T are used for describing recursive behaviors. For example, 
rec X.(p!a.X©p!6.end) describes a participant that sends an arbitrary number of a messages 
to p and terminates by sending a h message; dually, rec X.(p?a.X -|- p?6.end) describes a 
participant that is capable of receiving an arbitrary number of a messages from p and 
terminates as soon a h message is received. 

Session types are the pre-session types where internal choices are used to combine out- 
puts, external choices are used to combine inputs, and the continuation after every prefix is 
uniquely determined by the prefix. Formally: 

Definition 3.1 (session types). A pre-session type T is a session type if either: 
• T = end, or 



10 G. CASTAGNA, M. DEZANI-CIANCAGLINI, AND L. PADOVANI 



T = ®jg/Pj!ai.Tj and Vi,j € / we have that pjoj = Pjlaj imphes i = j and each Tj is a 
session type, or 

T = Yliei'^i'^^i-'^i ^^'^ ^hj (z I we have that ttj C ttj and a^ = Oj imply i = j and each 
Tj is a session type. 



3.2. Session Environments. A session environment is defined as the set of the session 
types of its participants, where each participant is uniquely identified by a role. Formally: 

Definition 3.2 (session environment). A session environment (briefiy, session) is a finite 
map {pi : Tijig/. 

In what follows we use A to range over sessions and we write A 1+) A' to denote the union 
of sessions, when their domains are disjoint. 

To describe the operational semantics of a session we model an asynchronous form of 
communication where the messages sent by the participants of the session are stored within 
a buffer associated with the session. Each message has the form p — > q describing the 
sender p, the receiver q, and the type a of message. Buffers, ranged over by B, . . . , are finite 
sequences pi — > qi :: • • • :: p„ —^ q„ of messages considered modulo the least congruence 
~ over buffers such that 

a I b f I b I a 

p — ^q::p — >q =ip — ^q ::p — ^q 

when p 7^ p' or q 7^ q', that is, we care about the order of messages in the buffer only when 
these have both the same sender and the same receiver. In practice, this corresponds to a 
form of communication where each pair of participants of a multi-party session is connected 
by a distinct FIFO buffer. 

There are two possible reductions of a session: 

B?{p:©,g/PJa*-rjWA -^ (p^pfc)::B?{p:rfc}WA (k&l) 

B::(p,^p),g,Up:E,ejVr,?a,-r,}WA ^^^ B ? {p : T,} W A f '"-^ "'==^ 

The first rule describes the effect of an output operation performed by participant p, which 
stores the message p — ^ p^ in the buffer and leaves participant p with a residual session type 
Tk corresponding to the message that has been sent. The second rule describes the effect of 
an input operation performed by participant p. If the buffer contains enough messages of 
type a coming from all the participants in VTfc , those messages are removed from the buffer and 
the receiver continues as described in Tfc. In this rule we decorate the reduction relation with 
TTfc — > p that describes the occurred interaction (as we have already remarked, we take the 
point of view that an interaction is completed when messages are received) . This decoration 
will allow us to relate the behavior of an implemented session with the traces of a global type 
(see Definition 12. 2p . According to this semantics, the input prefixes {pi, . . . ,p„}?a resemble 
join patterns pi?a & • • • & p„?a in the join calculus |FG96| . except that we impose that all 
the messages coming from pi, . . . , p„ have the same type. 

We adopt some conventional notation: we write ==?■ for the reflexive, transitive closure 
of — >] we write =^ for the composition =^ — >^^ and ^ for the composition =^ 
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We can now formally characterize the "correct sessions" as those in which, no matter 
how they reduce, it is always possible to reach a state where all of the participants are 
successfully terminated and the buffer has been emptied. 

Definition 3.3 (live session). We say that A is a live session if e , A =^ E , A' implies 
B 9 A' =^ e 9 {pi : endjjg/ for some ip. 

We adopt the term "live session" to emphasize the fact that Definition 13.31 states a 
liveness property: every finite computation e , A =^ B ^ A' can always be extended to 

a successful computation e ^ A =^ B , A' ^^ e 5 {pj : endjjg/. This is stronger than 
the progress property enforced by other multi-party session type theories, where it is only 
required that a session must never get stuck (but it is possible that some participants starve 
for messages that are never sent). As an example, the session 

Ai = {p : rec X.{q\a.X q!6.end) , q : rec Y.{p7a.Y + p?6.end)} 

is alive because, no matter how many a messages p sends, q can receive all of them and, if p 
chooses to send a b message, the interaction terminates successfully for both p and q. This 
example also shows that, despite the fact that session types describe finite-state processes, 
the session Ai is not finite-state, in the sense that the set of configurations {(B 5 A') | 

3(p, B, A' : e 9 Ai =^ B 5 A'} is infinite. This happens because there is no bound on the size 
of the buffer and an arbitrary number of a messages sent by p can accumulate in B before 
q receives them. As a consequence, the fact that a session is alive cannot be established in 
general by means of a brute force algorithm that checks every reachable configuration. By 
contrast, the session 

A2 = {p : rec X.qla.X , q : rec Y.pla.Y} 

which is normally regarded correct in other session type theories, is not alive because there 
is no way for p and q to reach a successfully terminated state. The point is that hitherto 
correctness of session was associated to progress (i.e., the system is never stuck). This is a 
weak notion of correctness since, for instance the session A2 t+J {r : p?c.end} satisfies progress 
even though role r starves waiting for its input. While in this example starvation is clear 
since no c message is ever sent, determining starvation is in general less obvious, as for 

A3 = {p : rec X.q}.a.q\b.X , q : rec Y.{p?a.p?b.Y + p?6.r!c.end) , r : q?c.end} 

which satisfies progress, where every input corresponds to a compatible output, and vicev- 
ersa, but which is not alive. 

We remark once again that our work focuses on a single session. In particular, our 
definition of live session does not preclude the existence of a perpetual server that opens an 
unbounded number of sessions, each of them having a finite but unbounded length. 

We can now define the traces of a session as the set of sequences of interactions that 
can occur in every possible reduction. It is convenient to define the traces of an incorrect 
(i.e., non-live) session as the empty set (observe that tr(^) 7^ for every ^). 

Definition 3.4 (session traces). 

/ . s del J {v? 1 e ? A =^ e 5 {pi : endjjg/} if A is a live session 
otherwise 
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It is easy to verify that tr(Ai) = tr((p — > q)*;p — > q) while tr(A2) = tr(A3) = since 
neither A2 nor A3 is a live session. 

4. Semantic projection 

In this section we show how to project a global type to the session types of its participants — 
i.e., to a session — in such a way that the projection is correct with respect to the global type. 
Before we move on, we must be more precise about what we mean by correctness of a session 
A with respect to a global type ^. In our setting, correctness refers to some relationship 
between the traces of A and those of ?^. In general, however, we cannot require that ^ and A 
have exactly the same traces: when projecting ?^i A 5^2 we might need to impose a particular 
order in which the interactions specified by ^1 and ^2 must occur (shuffling condition). At 
the same time, asking only tr(A) C tr(^) would lead us to immediately lose the exhaustivity 

property, since for instance {p : q!a.end , q : p?a.end} would implement p — > q V p — > q 
even though the implementation systematically exhibits only one (p — > q) of the specified 
alternative behaviors. In the end, we say that A is a correct implementation of ^ if: first, 
every trace of A is a trace of ^ (soundness); second, every trace of ^ is the permutation of 
a trace of A (completeness) . Formally: 

tr(A) C tr(^) C tr(A)° 

where L° is the closure of L under arbitrary permutations of the strings in L: 

L° = {ai • • • a„ I there exists a permutation a such that a^n\ ■ ■ ■ a^^uA £ -^} 

Since these relations between languages (of traces) play a crucial role, it is convenient 
to define a suitable pre-order relation: 

Definition 4.1 (implementation pre-order). We let Li ^ L2 if ^i C L2 C L^ and extend 
it to global types and sessions in the natural way, by considering the corresponding sets of 
traces. Therefore, we write A ^ ^ if tr(A) ^ tr(^) and similarly for ?f ^ ^' and A ^ A'. 

It is easy to see that soundness and completeness respectively formalize the notions of 
fitness and exhaustivity that we have outlined in the introduction. As for the remaining 
three properties listed in the introduction (i.e., sequentiality, alternativeness, and shuffling), 
they are entailed by the formalization of the semantics of a global type in terms of its 
traces (Definition \2.2\i . In particular, we have that soundness implies sequentiality and 
alternativeness, while completeness implies shuffling. Therefore, in the formal treatment that 
follows we will focus on soundness and completeness as the only characterizing properties 
connecting sessions and global types. The relation A ^ 1^ summarizes the fact that A is 
both sound and complete with respect to '^, namely that A is a correct implementation of 
the specification ^. 

Table[3]presents our rules for building the projections of global types. Projecting a global 
type basically means compiling it to an "equivalent" set of session types. Since the source 
language (global types) is equipped with sequential composition while the target language 
(session types) is not, it is convenient to parameterize projection on a continuation, i.e., we 
consider judgments of the shape: 

Ah^ l> A' 
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Table 3: 


Rules for semantic projection. 












(SP-Skip) 












A h skip A 








(SP-Action) 












{pi : Tiji^i W {p : T} a A h {pji^/ ^ p > {p, : pla.Tjie/ W {p 


: {pi}ig/?a 


TjWA 


(SP-Sequence) 




(SP- Alternative) 








A h ^2 > A' A' h ^1 


A" 


AhJfi > {piTijaA' Ah^2 > 


{p: 


T2} W A' 


Ah^i;^2 > A" 




A h ^1 V ^2 > {p : Ti 


er2} 


a A' 




(SP-Iteration) 




(SP-Subsumption) 








{p:rieT2}aAh^ > 


{P 


: Ti} W A A h ^' > A' ^' 


^^ 


A" ^ A' 


{piTajWAh^* > {p: 


tk 


Br2}tt)A Ah^ > A" 







meaning that if A is the projection of some ^', then A' is the projection of §f ;§f'. We say 
that A' is a, projection of ^ with continuation A. This shape of judgments immediately gives 
us the rule (SP-Sequence). 

The projection of an interaction vr — > p adds p!a in front of the session type of all the 
roles in vr, and 7r?a in front of the session type of p (rule (SP-Action)). For example we 
have: 

{p : end, q : end} h p — > q l> {p : q!a.end, q : p?a.end} 

An alternative ^1 V ^2 (rule (SP-Alternative)) can be projected only if there is a 
participant p that actively chooses among different behaviors by sending different messages, 
while all the other participants must exhibit the same behavior in both branches. The 
subsumption rule (SP-Subsumption) can be used to fulfill this requirement in many cases. 

For example we have Aq l~ p — > q l> {p : q!a.end,q : p?a.end} and Aq h p — > q [> {p : 
q!6.end,q : p?6.end}, where Aq = {p : end,q : end}. In order to project p — > qVp — > q 
with continuation Aq we derive first by subsumption Aq h p — > q \> {p : qia.end , q : T} 
and Aq l~ p — > q > {p : q!6.end , q : T} where T = p?a.end + p?6.end. Then we obtain 



Aq h p — > q V p — > q ;> {p : qia.end © q!6.end , q : T} 

Notice that rule (SP-Alternative) imposes that in alternative branches there must be 
one and only one participant that takes the decision. For instance, the global type 

{P,q} ^r V {p,q} — yr 

cannot be projected since we would need a covert channel for p to agree with q about whether 
to send to r the message a or b. 

Rule (SP-Subsumption) can be easily understood by recalling that we require a pro- 
jection A of a global type ?f to satisfy A ^ ^. Therefore if A' is a projection of ^' with 
continuation A and ^' ^ ^, then A' is also a projection of ^ with continuation A. Similarly 
if A' is a projection of ^' with continuation A and A" ^ A', then also A" is a projection of 
^' with continuation A. 

To project a starred global type we also require that one participant p chooses be- 
tween repeating the loop or exiting by sending messages, while the session types of all 
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other participants are unchanged. If Ti and T2 are the session types describing the be- 
havior of p when it has respectively decided to perform one more iteration or to terminate 
the iteration, then Ti © T2 describes the behavior of p before it takes the decision. The 
projection rule requires that one execution of ^ followed by the choice between Ti and 
T2 projects in a session with type Ti for p. This judgment is possible only if Ti is a re- 
cursive type, as expected, and it is the premise of rule (SP-Iteration). For example if 
Ti = qia.rec X.{q\a.X © q!6.end), T2 = q!&.end, and S = rec Y.ipla.Y + p?5.end) we can 
derive {p : Ti © T2, q : 5} h p — > q > {p : Ti, q : 5} and then 

{p : r2,q : 5} h (p ^ q)* > {p : Ti ©T2, q : S} 

Notably there is no rule for « A », the both constructor. We deal with this constructor 
by observing that all interleavings of the actions in ^1 and 1^2 give global types ^ such that 
1^ ^ ^1 A §^2 ) and therefore we can use the subsumption rule to eliminate every occurrence of 
« A ». For example, to project the global type p — > q A r — > s we can use p — > q; r — > s: 
since the two actions that compose both global types have disjoint participants, then the 
projections of these global types (as well as that of r — > s;p — > q) will have exactly the 
same set of traces. 

Other interesting examples of subsumptions useful for projecting are 

r — >p;p — ^q ^ (p — ^ q; r — ^ p) V (r — ^p;p — > q) (4.1) 

rAp;(p^qVpAq) ^ (rAp;p^q)V(rAp;pAq) (4.2) 

In (j4.ip the ^-larger global type describes the shuffling of two interactions, therefore we 
can project one particular ordering still preserving completeness. In (|4.2p we exploit the 
left-distributivity law of regular expressions to push the « V » construct where the choice 
is actually being made (this is possible thanks to the trace semantics we adopt for global 
types). 

We are interested in projections without continuations, that is, in judgments of the 
shape {p : end | p G ^} h ^ A (where p € ^ means that p occurs in ^) which we shortly 
write as 

h^ > A 

The mere existence of a projection does not mean that the projection behaves as specified 
in the global type. For example, we have 

h p — > q;r — > s > {p : qia.end, q : p?a.end, r : sla.end, s : r?a.end} 

but the projection admits the trace r — > s; p — > q which is not allowed by the global type. 
Clearly the problem resides in the global type, which tries to impose a temporal ordering 
between interactions involving disjoint participants. What we want, in accordance with the 
traces of a global type '^\\'^2i is that no interaction in §^2 can be completed before all the 
interactions in 'S\ are completed. In more detail: 

• an action vr — )• p is completed when the participant p has received the message a from 
all the participants in vr; 

• if (/?; vr — 7- p; vr' — \ p'; -0 is a trace of a global type, then either the action vr' — \ p' 
cannot be completed before the action vr — > p is completed, or they can be executed in 
any order. The first case requires p to be either p' or a member of vr', in the second case 

the set of traces must also contain the trace i~p\ vr' — > p'; vr — > p; -0. 
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This leads us to the fonowing definition of weh-formed global type. 

Definition 4.2 (well- formed global type). We say that a set of traces L is well formed if 

(f] vr — > p; vr' — > p'; -0 G L implies either p € tt' U {p'} or ip; tt' — > p'; tt — > p; ■0 G L. We 
say that a global type ^ is well formed if so is tr(§f ). 

It is easy to decide well-formedness of an arbitrary global type ^ by looking at the 
automaton that recognizes the language of traces generated by ^. 

Projectability and well-formedness must be kept separate because it is sometimes nec- 
essary to project ill-formed global types. For example, the ill-formed global type p — > 
q; r — ?■ s above is useful to project p — > q A r — > s which is well formed. 

Clearly, if a global type is projectable {i.e.,\- ^ A is derivable) then well-formedness 
of ^ is a necessary condition for the soundness and completeness of its projection {i.e., for 
A ^'^). It turns out that well-formedness is also a sufficient condition for having soundness 
and completeness of projections, as stated in the following theorem, whose proof is the 
content of Appendix [Al 

Theorem 4.1. If^ is well formed and \- "^ > A, then A ^ ^. 

In summary, if a well-formed global type ^ is projectable, then its projection A is a 
live session (it cannot generate the empty set of traces since tr(^) C tr(A)°) which is sound 
and complete wrt ^ and, therefore, satisfies the sequentiality, alternativeness, and shuffling 
properties outlined in the introduction. 

Remark 4.1. We now have all the ingredients for showing that actions involving multiple 
senders are not redundant, in the sense that they cannot be encoded in terms of more 
primitive actions with single senders. In particular, we show that the global type 

^1 = {qi,q2} — ^q 

is not always equivalent to the expansion 

% = qi — ^ q A q2 — > q 

despite the fact that, in l^i and 1^2) the same number of messages is exchanged between the 
very same participants. 

If we consider the global types ^^ and ^2 defined by: 

l^' = (p^qiAp^q2);^. 

we see that ^/ is well formed while ^2 is not. The reason is because of the trace p — > 

qi;p -% q2;qi — 5- q; q2 — 5> q G tr(^2') where q2 ^ {q,qi} and p -^ qi;qi — ^ q;p -^^ 

q2;q2 — ^ q ^ tr(^2')- Basically, both ^^ and ^2' specify the constraint that no b message 
is received by q before both a messages have been received by qi and q2. However, in ^2 
the b messages are received by means of independent actions, and therefore it can happen 
that the b message from qi is received by q before the a message from p is received by q2, 
which is exactly the scenario described by the trace above that is not in tr(^2')- The global 
type §^1, on the other hand, specifies that the receive operation performed by q is considered 
completed only when both b messages from qi and q2 are available. The interested reader 
may compare the projections of ^/ and 1^2' and verify that the one for §^2 does indeed exhibit 
an undesired trace. 
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We conclude this section by formally characterizing the three kinds of problematic global 
types we have described earlier. We start from the least severe problem and move towards 
the more serious ones. Let L^ denote the smallest well- formed set such that L C L^. 

No sequentiality. Assuming that there is no A that is both sound and complete for ^, it 
might be the case that we can find a session whose traces are complete for ^ and sound for 
the global type ^' obtained from ^ by turning some « ; »'s into « A »'s. This means that the 
original global type ^ is ill formed, namely that it specifies some sequentiality constraints 
that are impossible to implement. For instance, {p : q!a.end, q : p?a.end, r : s!6.end, s : 

r?6.end} is a complete but not sound session for the ill-formed global type p — > q; r — > s 

(while it is a sound and complete session for p — > q A r — ;► s). We characterize the global 
types ^ that present this error as: 

M : A ^ 5^ and 3A : tr(^) C tr(A) C tr(^)# . 

No knowledge for choice. In this case every session A that is complete for ^ invariably 
exhibits some interactions that are not allowed by ^ despite the fact that ^ is well formed. 
This happens when the global type specifies alternative behaviors, but some participants do 
not have enough information to behave consistently. For example, the global type 

(P — ^ q; q — ^ r; r — ^ p) V (p — ^ q; q — ^ r; r — ^ p) 

mandates that r should send either a or 6 in accordance with the message that p sends to q. 
Unfortunately, r has no information as to which message q has received, because q notifies 
r with an a message in both branches. A complete implementation of this global type is 

{p : q!a.(r?a.end + r?6.end) © q!6.(r?a.end + r?6.end), 
q : p?a.r!a.end + p?6.r!a.end, r : q?a.(q!a.end © q!6.end)} 

which also produces the traces p — > q; q — > r; r — > p and p — > q; q — > r; r — > p. We 
characterize this error as: 

M : tr(^) C tr(A) C tr(?^)# and 3A : tr(^) C tr(A) . 

No knowledge, no choice. In this case we cannot find a complete session A for ^. This 
typically means that 5^ specifies some combination of incompatible behaviors. For example, 
the global type p — > q V q — > p implies an agreement between p and q for establishing 
who is entitled to send the a message. In a distributed environment, however, there can 
be no agreement without a previous message exchange. Therefore, we can either have a 
sound but not complete session that implements just one of the two branches (for example, 
{p : q!a.end,q : p?o.end}) or a session like {p : q!a.q?o.end, q : p?a.p!a.end} where both p 
and q send their message but which is neither sound nor complete. We characterize this 
error as: 

$A : tr(^) C tr(A) . 
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5. Algorithmic projection 

We now attack the problem of computing the projection of a global type. We are looking for 
an algorithm that "implements" the projection rules of Section [H that is, that given a session 
continuation A and a global type ^, produces a projection A' such that A h ^ : A'. In other 
terms this algorithm must be sound with respect to the semantic projection (completeness, 
that is, returning a projection for every global type that is semantically projectable, seems 
out of reach, yet). 

The deduction system in Table [3] is not algorithmic because of two rules: the rule 
(SP-Iteration) that does not satisfy the subformula property since the context A used in 
the premises is the result of the conclusion; the rule (SP-Subsumption) since it is neither 
syntax-directed (it is defined for a generic ^) nor does it satisfy the subformula property (the 
^' and A" in the premises are not uniquely determined) |J The latter rule can be expressed 
as the composition of the two rules 

(SP-SubsumptionG) (SP-SubsumptionS) 

A h ^' A' ^' ^ ^ A h ^ > A' A" ^ A' 

Ah^ > A' Ah 5^ A" 

Splitting (SP-Subsumption) into (SP-SubsumptionG) and (SP-SubsumptionS) is use- 
ful to explain the following problems we have to tackle to define an algorithm: 

(1) How to eliminate (SP-SubsumptionS), the subsumption rule for sessions. 

(2) How to define an algorithmic version of (SP-Iteration), the rule for Kleene star. 

(3) How to eliminate (SP-SubsumptionG), the subsumption rule for global types. 
We address each problem in order and discuss the related rules in the next sections. 

5.1. Session subsumption. Rule (SP-SubsumptionS) is needed to project alternative 
branches and iterations (a loop is an unbound repetition of alternatives, each one starting 
with the choice of whether to enter the loop or to skip it): each participant different from the 
one that actively chooses must behave according to the same session type in both branches. 
More precisely, to project ^i V^2 the rule (SP-Alternative) requires to deduce for ^i and 
^2 the same projection: if different projections are deduced, then they must be previously 
subsumed to a common lower bound. The algorithmic projection of an alternative (see the 
corresponding rule in Table [3|) allows premises with two different sessions, but then merges 
them. Of course not every pair of projections is mergeable. Intuitively, two projections 
are mergeable if so are the behaviors of each participant. This requires participants to 
respect a precise behavior: as long as a participant cannot determine in which branch 
(i.e., projection) it is, then it must do the same actions in all branches {i.e., projections). 

For example, to project ^ = (p — > q; r — > q; . . . ) V (p — > q; r — > q; • • • ) we project 
each branch separately obtaining Ai = {p : q!a . . . , q : p?a.r?c . . . , r : q!c . . . } and A2 = 
{p : q!6 . . . , q : p?6.r?c . . . , r : q!c . . . }. Since p performs the choice, in the projection of 
1^ we obtain p : q!a ... © q!6 . . . and we must merge {q : p?a.r?c . . . , r : q!c . . . } with 
{q : p?6.r?c . . . , r : q!c . . . }. Regarding q, observe that it is the receiver of the message from 
p, therefore it becomes aware of the choice and can behave differently right after the first 
input operation. Merging its behaviors yields q : p?o.r?c . . . -|- p?6.r?c .... Regarding r, it 



The rule (SP- Alternative) is algorithmic: in fact there is a finite number of participants in the two 
sessions of the premises and at most one of them can have different session types starting with outputs. 



18 G. CASTAGNA, M. DEZANI-CIANCAGLINI, AND L. PADOVANI 



has no information as to which choice has been made by p, therefore it must have the same 
behavior in both branches, as is the case. Since merging is idempotent, we obtain r : q!c. . . . 
In summary, mergeability of two branches of an « V » corresponds to the "awareness" of the 
choice made when branching (see the discussion in Section |5] about the "No knowledge for 
choice" error), and it is possible when, roughly, each participant performs the same internal 
choices and disjoint external choices in the two sessions. 

Special care must be taken when merging external choices to avoid unexpected inter- 
actions that may invalidate the correctness of the projection. To illustrate the problem 
consider the session types T = p?a.q?6.end and S = q?6.end describing the behavior of a 
participant r. If we let r behave according to the merge of T and S, which intuitively 
is the external choice p?a.q?6.end + q?6.end, it may be possible that the message b from 
q is read before the message a from p arrives. Therefore, r may mistakenly think that it 
should no longer participate to the session, while there is still a message targeted to r that 
will never be read. Therefore, T and S are incompatible and it is not possible to merge 
them safely. On the contrary, p?a.p?6.end and p?6.end are compatible and can be merged 
to p?a.p?6.end + p?6.end. In this case, since the order of messages coming from the same 
sender is preserved, it is not possible for r to read the b message coming from p before the 
a message, assuming that p sent both. More formally: 

Definition 5.1 (compatibility). We say that an input p?a is compatible with a session type 
T if either 
(i) p?a does not occur in T, or 

(ii) T = ©jg/pJaj-Tj and p?a is compatible with Tj for all i G /, or 

(iii) T = "^^^jTTi^ai.Ti and for all i € / either p G ttj and a 7^ aj or p ttj and p?a is 
compatible with Tj. 
We say that an input 7r?a is com,patible with a session type T if p?a is compatible with 
T for some p € vr. 

Finally, T = Y.i&i'^i^(^i-Ti + Y.jaj'^rf^j-Tj and S = J2i(^i^i'^(^i-Si + YlheH^h'^"'h-Sh 
are com,patible if TTj?aj is compatible with S for all j & J and iihlah is compatible with T 
for al\he H. 

The merge operator just connects sessions with the sam,e output guards by internal 
choices and with compatible input guards by external choices: 

Definition 5.2 (merge). The merge of T and S, written T /t\ S, is defined coinductively 
and by cases on the structure of T and S thus: 

• if r = 5" = end, then T /A S = end; 

• if r = QjgjpJai.Tj and S = 0jgjPj!ai.5i, then T /A S = 0jgjPj!aj.(rj /A Si); 

• if T = J2iel '^i'^'^i-Ti + Y^jdj ^i?«j-^i and S = J2i(zi T^i^-o-i-Si + Y^haH '^^h^-O-h-Sh are com- 
patible, then T /AS = J2iei '^i'^ai-iTi /X\ Si) + J2jeJ '^r^r^j + Y^heH T^h^-ah-Sh- 

We extend merging to sessions so that A/AA' = {p:T/X\S'|p:T€A&p:S'€ A'}. 

Rules (AP-Alternative) and (AP-Iteration) of Tableware the algorithmic versions 
of (SP-Alternative) and (SP-Iteration), but instead of relying on subsumption they 
use the merge operator to compute common behaviors. 

The merge operation is a sound but incomplete approximation of session subsumption 
insofar as the merge of two sessions can be undefined even though the two sessions completed 
with the participant that makes the decision have a common lower bound according to ^. 
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Table 4: Rules for algorithmic projection. 



(AP-Action) 






(AP-Skip) 

A ha skip > A 




{pi : Ti},a W {P 


: T} W A h 


-a {P,,] 


ie/ — ^ P > {pi : pla.rjig/ 


W{p:{p,W?a.T}aA 


(AP-Sequence) 

A ha ^2 > A' A' ha ^1 


A" 


(AP-Alternative) 
Aha^i > {p:Ti}aAi 


A ha ^2 > {p : 72} tt) A2 


Aha^i;^2 


> A" 




A ha 5^1 V ^2 > {p : Ti e Ta} W (Ai /)(\ A2) 


(AP-Iteration) 
{P: 


^} W {pi : 


Xi}i<.i W A ha ^ > {p : 5} a {pi 


: Si},e/ a A 


{p : T} W {pi : TJ, 


67 a A ha 


^* > 


{p:recX(Te5)}a{pi 


recXi.{TittSi)]i^l\^A 



This implies that there are global types which can be semantically but not algorithmically 
projected. 

Take for example ^1 V ^2 where ^1 = p — > r; r — > p; p — j- q; q — > r and ^2 = 
p — > q; q — )• r. The behavior of r in ^1 and §^2 respectively is T = p?a.p!a.q?6.end 
and S = q?6.end. Then we see that ^1 V ^2 is semantically projectable, for instance by 
inferring the behavior T + S for r. However, T and S are incompatible and ^i V ^2 is 
not algorithmically projectable. The point is that the ^ relation on projections has a 
comprehensive perspective of the whole session and "realizes" that, if p initially chooses to 
send a, then r will not receive a h message coming from q until r has sent a to p. The merge 
operator, on the other hand, is defined locally on pairs of session types and ignores that the 
a message that r sends to p is used to enforce the arrival of the h message from q to r only 
afterwards. For this reason it conservatively declares T and S incompatible, making ^1 V ^2 
impossible to project algorithmically. Appendix |B] discusses further examples illustrating 
merge and compatibility. 

5.2. Projection of Kleene star. Since an iteration ^* is intuitively equivalent to skip V 
^; ^* it comes as no surprise that the algorithmic rule (AP-Iteration) uses the merge 
operator. The use of recursion variables for continuations is also natural: in the premise 
we project ^ taking recursion variables as session types in the continuation; the conclusion 
projects ^* as the choice between exiting and entering the loop. There is, however, a subtle 
point in this rule that may go unnoticed: the projection of ^* may require a continuation 
that includes actions and roles that precede ^*. The point can be illustrated by the global 
type 

(p ^ q; (p — > q)*)*;p -^ q 

where p initially decides whether to enter the outermost iteration (by sending a) or not (by 
sending c). If it enters the iteration, then it eventually decides whether to also enter the 
innermost iteration (by sending h), whether to repeat the outermost one (by sending a), 

or to exit both (by sending c). Therefore, when we project (p — > q)*, we must do it in 
a context in which both p — > q and p — > q are possible, that is a continuation of the 
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form {p : q!a ... © qlc.end} even though no a is sent by an action (syntactically) following 
(p — > q)*. For the same reason, the projection of (p — > q)* in (p — > q;p — > r; (p — > 
q)*)*; p — > q; q — > r will need a recursive session type for r in the continuation. 



5.3. Global type subsumption. Elimination of global type subsumption is the most dif- 
ficult problem when defining the projection algorithm. While in the case of sessions the 
definition of the merge operator gives us a sound — though not complete — tool that re- 
places session subsumption in very specific places, we do not have such a tool for global 
type containment. This is unfortunate since global type subsumption is necessary to project 
several usage patterns (see for example the inequations (|4.ip and (|4.2p ). but most impor- 
tantly it is the only way to eliminate A-types (neither the semantic nor the algorithmic 
deduction systems have projection rules for «A»). The minimal facility that a projection 
algorithm should provide is to feed the algorithmic rules with all the variants of a global 
type obtained by replacing occurrences of ^i A ^2 by either l^i;^2 or '^2','^!- Unfortunately, 
this is not enough to cover all the occurrences in which rule (SP-SubsumptionG) is nec- 
essary. Indeed, while ^i;^2 and ^2;^! ai'e in many cases projectable (for instance, when 
^1 and ^2 have distinct roles and are both projectable), there exist ^1 and ^2 such that 
^1 A 1^2 is projectable only by considering a clever interleaving of the actions occurring in 

them. Consider for instance ^1 = (p — > q; q — > s; s — > q) V (p — > r; r — > s; s — > r) 

and ^2=1" — > s; s — > r; s — > q. The projection of ^1 A ^2 from the environment 
{q : p!a.end,r : p!6.end} can be obtained only from the interleaving 

r — > s;^i; s — > r; s — > q. 

The reason is that q and r receive messages only in one of the two branches of the « V », 
so we need to compute the merge of their types in these branches with their types in the 
continuations. The example shows that to project ^1 A ^2 it rnay be necessary to arbitrarily 
decompose one or both of ?^i and ?^2 to find the particular interleaving of actions that can 
be projected. As long as ^1 and ^2 are finite (no non-trivial iteration occurs in them), we 
can use a brute force approach and try to project all the elements in their shuffle, since 
there are only finitely many of them. In general — i.e., in presence of iteration — this is 
not an effective solution. However, we conjecture that even in the presence of infinitely 
many traces one may always resort to the finite case by considering only zero, one, and two 
unfoldings of starred global types. To give a rough idea of the intuition supporting this 
conjecture consider the global type ^* f\^': its projectability requires the projectability of 
^' (since ^ can be iterated zero times), of §f A 1^' (since ^ can occur only once) and of 
^;^ (since the number of occurrences of ^ is unbounded). It is enough to require also that 
either 1^; [^ A §f' ) or (^ A ^');§f can be projected, since then the projectability of either 
1^"; (§^ A 5^') or i;^ f\^')\^'^ for an arbitrary n follows (see Appendix [C]l . 

So we can — or, conjecture we can — get rid of all occurrences of « A » operators auto- 
matically, without losing in projectability. However, examples (|4.ip and (|4.2p in Section 3] 
show that rule (SP-SubsumptionG) is useful to project also global types in which the 
A-constructor does not occur. A fully automated approach may consider (j4.ip and (j4.2p 
as right-to-left rewriting rules that, in conjunction with some other rules, form a rewriting 
system generating a set of global types to be fed to the algorithm of Table [H The choice 
of such rewriting rules must rely on a more thorough study to formally characterize the 
sensible classes of approximations to be used in the algorithms. An alternative approach 
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is to consider a global type ^ as somewhat underspecified, in that it may allow for a large 
number of different implementations (exhibiting different sets of traces) that are sound and 
complete. Therefore, rule (SP-SubsumptionG) may be interpreted as a human-assisted 
refinement process where the designer of a system proposes one particular implementation 
^ ^ 1^' of a system described by 5^'. In this respect it is interesting to observe that checking 
whether Li ^ L2 when Li and L2 are regular is decidable, since this is a direct consequence 
of the decidability of the Parikh equivalence on regular languages |Par66| o 

5.4. Properties of the algorithmic rules. Every deduction of the algorithmic system 
given in Table [U possibly preceded by the elimination of « A » and other potential sources 
of failures by applying the rewritings/heuristics outlined in the previous subsection, induces 
a similar deduction using the rules for semantic projection (Table [3]). For the proof see 
Appendix iDl 

Theorem 5.1. //ha ^ > A, then h ^ > A. 

As a corollary of Theorems 14. II and 15. 11 we immediately obtain that the projection A of 
a well- formed §^ returned by the algorithm is sound and complete with respect to ^. 

Remark 5.1. Although every projection of a global type ^ produced by the algorithm is 
sound and complete with respect to ^, let us stress once more that the algorithm itself is 
sound but not complete with respect to the semantic projection system defined in Figure [S] 
while every algorithmic projection is a semantic projection as well, there exist global types 
which are projectable semantically but not algorithmically. 



6. A;-EXIT ITERATIONS 

The syntax of global types (Table [T]) includes that of regular expressions and therefore is 
expressive enough for describing any protocol that follows a regular pattern. Nonetheless, 
the simple Kleene star prevents us from projecting some useful protocols. To illustrate the 
point, suppose we want to describe an interaction where two participants p and q alternate 
in a negotiation in which each of them may decide to bail out. On p's turn, p sends either 
a bailout message or a handover message to q; if a bailout message is sent, the negotiation 
ends, otherwise it continues with q that behaves in a symmetric way. The global type 

/ handover handover %* / bailout . , handover bailout ■, 

(p — > q;q — > p) ;(p — ^ qvp — > q;q — ^ p) 

describes this protocol as an arbitrarily long negotiation that may end in two possible ways, 
according to the participant that chooses to bail out. This global type cannot be projected 

because of the two occurrences of the interaction p — > q, which make it ambiguous 
whether p actually chooses to bail out or to continue the negotiation. In general, our pro- 
jection rules (SP-Iteration) and (AP-Iteration) make the assumption that an iteration 
can be exited in one way only, while in this case there are two possibilities according to 
which participant bails out. This lack of expressiveness of the simple Kleene star used in a 
nondeterministic setting |Mil84) led researchers to seek for alternative iterative constructs. 



Whether two regular languages have the same Parikh image is decidable. The Parikh image of a word w 
maps each letter of the alphabet to the number of times it appears in w, the Parikh image of a language is 
the set of Parikh images of all words in the language. By checking Parikh images one can check equivalence 
of languages modulo permutations. 
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Table 5: Semantic projection of k-exit iteration. 



(SP-/c-ExiT Iteration) 

A h ^' > {p, : S,} W {p, : Rj}j=i,...,i-i,i+i,...,k W A' (^e{i,...,fc}) 

{P2 : T2 e ^2} W {Pi : Ri}i=i,3,...,k W A' h ^1 > {pi : T^} W {p^ : R^}i=2,...,k « A' 

{P3 : T3 e S3} a {pi : -R»}i=i,2,4,...,fc W A' h ^2 > {P2 : T2} W {pi : i?»}i=i,3,...,fc W A' 

{pi : Ti e Si} a {p^ : i?»}i=2,...,fc a A^ h $4 > {p^ : TJ a {p^ : i?Ji=i,...,fc-i a A' 
A h (^1, . . . ,^fc) '=* (^1', . . . ,^^) > {pi : Ti e 5i} W {p, : i?.}.=2,...,fc W A' 



One proposal is the k-exit iteration |BBP93| . which is a generalization of the binary Kleene 
star and has the form 

indicating a loop consisting of k subsequent phases l^i, . . . ,'^k- The loop can be exited just 
before each phase through the corresponding 1^/. Formally, the traces of the A:-exit iteration 
can be expressed thus: 

tr((^i,...,^fc)'=*(^/,...,^^)) ''^' tr((^i;...;%)*;(^/V^i;^2'V---V^i;...;%_i;^^)) 
and, for example, the negotiation above can be represented as the global type 

/ handover handover \ 2* / bailout bailout ^ /n -i\ 

(p — ^ q>q — ^ p) (p — ^ q>q — ^ p) (o-i) 

while the unary Kleene star ^* can be encoded as (^) ^* (skip). 

In our setting, the advantage of the fc-exit iteration over the Kleene star is that it 
syntactically identifies the k points in which a decision is made by a participant of a multi- 
party session and, in this way, it enables more sophisticated projection rules such as those 
in Table [5j Albeit intimidating, rule (SP-fc-ExiT ITERATION) is just a generalization of 
rule (SP-Iteration). For each phase i a (distinct) participant pj is identified: the partici- 
pant may decide to exit the loop behaving as Si or to continue the iteration behaving as Tj. 
While projecting each phase ^j, the participant p(j ^^^ |^\_^_l that will decide at the next turn 
is given the continuation Tu mod fc)+i ® Su mod A;)+i) while the others must behave according 
to some Ri that is the same for every phase in which they play no active role. Once again, 
rule (SP-Subsumption) is required in order to synthesize these behaviors. For example, 
the global type (|6.ip is projected to 

{p : rec X.{qlhandover.{q? handover. X + q! bailout. end) © qlbailout.end), 
q : rec Y.(j)? handover. (plhandover.Y © plbailout.end) + p?bailout.end)} 

as one expects. 

7. Related work 

The formalization and analysis of the relation between a global description of a distributed 
system and a more machine-oriented description of a set of components that implements it 
is a problem that has been studied in several contexts and by different communities. In this 
setting, important properties that are considered are the verification that an implementation 
satisfies the specification, the implementability of the specification, and the study of different 
properties of the specification that can then be transposed to each (possibly automatically 
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Figure 1: MSG of the seller-buyer protocol 

produced) implementation satisfying it. In this work we focused on the implementability 
problem, and we tackled it from the "Web service coordination" perspective developed by 
the community that works on behavioral types and process algebrae. We are just the 
latest ones to attack this problem. So many other communities have been considering it 
before us that even a sketchy survey has no chance to be exhaustive. In what follows 
we describe two alternative approaches studied by important communities with a large 
amount of different and important contributions, namely the "automata" and "cryptographic 
protocols" approaches, and then focus on surveying our "behavioral types/process algebra" 
approach stressing the relations with the two other approaches and its peculiarities. 



7.1. Automata approach. Probably the most extensive research on this problem is pur- 
sued by the "automata/model-checking" (particularly, finite state automata) community 
where special care is paid to software engineering specification problems. In particular, a 
lot of research effort has focused on two specification languages standardized in telecommu- 
nications, the Message Sequence Charts (MSCs, ITU Z.120 standard) and the Specification 
and Description Language (SDL, ITU Z.IOO standard). These respectively play the roles 
of our global types and session types. MSCs have become popular in software development 
thanks to their graphical representation that depicts every process by a vertical line and 
each message as an arrow from the sender to the receiver process fired according to their 
top-down ordering. This standard, included in UML, can also represent other features, such 
as timers, atomic events, local/global conditions, but it can represent neither iterations nor 
branching. This is why it has been extended to Message Sequence Graphs (MSGs, a spe- 
cial case of the High-Level Message Sequence Charts included in the Z.120 standard, with 
equivalent expressivity |MR97j ) which consist of finite transition systems whose states en- 
capsulate a single MSC: reaching a given state starts the execution of the embedded MSC 
whose termination makes the control move to another state. MSGs play the same role as 
our global types. 

In particular the global type (jl.2p of the introduction corresponds to the MSG in Fig- 
ure [TJ The MSG is formed by four states that embed a MSC each. The middle state can 
loop on itself or branch in one of the two possible final states. 

While a MSG specifies the behavior of a distributed system in terms of interactions, 
Communicating Finite-State Machines (CFSMs) — the core theoretical model of SDL — 
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Figure 2: CFSMs implementing the seller-buyer protocol. 



describe it in terms of its single components. They are systems of finite state automata that 
communicate via asynchronous unbounded FIFO channels. The automata transitions are 
labeled by communication primitives which specify the message and the sender or receiver 
of it and their execution triggers a read or write action on the corresponding buffer. A run 
is successful if each automaton ends its execution in a final state and all buffers are empty. 
An example is depicted in Figure [2] which implements the protocol described by the MSG of 
Figure [TJ The automaton on the top implements the seller while the one on the bottom the 
buyer. They communicate by two directional buffers depicted in the middle of the figure. It 
is clear that every run of these machines places at most 2 messages in the buffers and that 
buffers of length 1 would suffice to implement this protocol without causing deadlocks. 

CFSMs essentially are our pre-session types: nothing prevents two transitions respec- 
tively labeled by an input and an output operation to spring from the same state. As in our 
case the interest is in relating MSGs with CFSMs so that the latter are implementations of 
the former. It comes as no surprise that the two formalisms are in general incomparable. As 
pointed out in |GMP03| IGM05| this depends on two fundamental parameters: control and 
state. In MSGs (as well as in our global types) the control of branching is essentially global 
since it affects all the roles that occur in future executions, whereas in CFSMs (as well as 
in session types) it is inherently local, since it corresponds to the local transition function. 
Consequently, there are MSGs that are not implementable by CFSMs, insofar as the latter 
cannot implement global choices (in this work we further distinguished three degrees of "non 
implementability": no sequentiality, no knowledge for choice and no knowledge no choice). 
Viceversa, the unbounded buffers of CFSMs provide them with infinite states and this gives 
them a Turing equivalent expressivity [BZ83]. MSGs, instead, are finitely generated, in the 
sense that for every MSG G there exists a finite set =5^ of finite MSCs such that any execu- 
tion of G can be written as the juxtaposition of the execution of elements in =5^. It is then 
clear that MSGs cannot specify all CFSMs systems (an example of this is the alternating bit 
protocol in which a sender resends a message to a receiver since the acknowledgment arrived 
too late: to be specified, this protocol needs MSCs of arbitrary length, see |GMP03] ). The 
relative expressive powers of the two formalisms (finitely generated vs. Turing complete) 
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makes it apparent that the static verification of properties should be much "easier" on MSGs 
than on CFSMs. Indeed, the expressivity of CFSMs is used to justify the use of MSGs 
as an early specification tool to then be implemented (i.e., projected) into CFSMs: since 
CFSMs are Turing complete, all nontrivial behavioral properties - termination, reachabil- 
ity {i.e., is a given control state reachable?), deadlock-freedom, boundedness (i.e., is there 
some bound n such that every reachable configuration has buffers of size at most n?) - are 
undecidable. Even if some of these properties can be made decidable by some restrictions 
{e.g., reachability and safety properties become decidable with lossy channels, even though 
liveness properties and boundedness remain undecidable, see |Sch04j ) it is believed that 
a satisfactory set of decidable properties can be obtained only with trivial CFSMs {e.g., 
with only two processes or with bounded buffers). Half-duplex systems |CF05] made of two 
CFSMs, where each reachable configuration has at most one buffer non-empty, are closely 
related to dyadic sessions and exhibit a number of decidable results which, unfortunately, 
do not scale to systems made of an arbitrary number of machines, even if the half-duplex 
restriction is maintained. MSGs have potentially much better properties, since they are 
finitely generated. For instance, it is possible to determine the maximum size of the buffers 
that each MSC that composes an MSG has to use in order to execute it. Such properties 
combined with the fact that the global semantics of CFSMs/SDL specifications is much 
more difficult to understand than that of MSGs, explain why it is very sensible to start with 
a MSG, model-check its properties and then implement it as a set of CFSMs. However, 
MSGs do not have robust closure properties as, say, regular languages (the choice we made 
for our global types). As a consequence, many variants of MSGs have been proposed in the 
literature to make verification and projection effectively and efficiently implementable (an 
extensive list of references can be found in |GM05) and a more detailed comparison is given 
in [GMP03 l|). In particular if one considers the restrictions we imposed on our global types, 
namely that branching is controlled by one process (they are called local-choice MSGs), 
then properties can be model-checked in polynomial or tractable time (while in the general 
setting of MSGs many variants of model-checking are undecidable |AY99l IMPS98| ). MSGs 
can also be restricted to the class of regular MSGs that have robust properties and for which 
the implement ability by deadlock-free CFSMs is decidable. In this context however imple- 
mentability means generating the same set of traces [AEYOOl lAEYOl] . So we are in the 
presence of quite a strict definition of implementability. Other notions of implementability 
have been studied yielding different decidability results {e.g., see [AEYOO^ lAEYOl] ): among 
these we can cite implementations allowed to produce messages not described by the MSG 
{i.e., unfit implementations, in the terminology used in our introduction), or the use of in- 
ternal communications with messages on a distinct alphabet to synchronize the system (we 
avoided this approach which corresponds to using covert channels), or implementations al- 
lowed to admit deadlocks. The reader can refer to |GMP03] for an extensive survey. However 
we are not aware of weaker implementability definitions such as the notions of soundness 
and completeness we introduced here. These, besides being an original contribution of our 
work, are also the main point that makes algorithmic projection difficult. There are some 
works, such as |BB11| . characterizing classes of CFSMs for which it is possible to decide the 
conformance with respect to a global specification (choreography). 

7.2. Cryptographic protocols. Another domain in which much research on this topic has 
been done is the verification of cryptographic protocols. In this context, protocol narrations, 
which describe protocols in terms of conversations between "roles", must be matched against 
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or implemented into a set of specifications for the single roles. However the goals pursued 
in this area are quite different from the one we outlined in the previous section, which 
yields global specification languages with characteristics different from the one considered 
by the automata approach. A first important difference is the content of messages. While 
in the automata based research the content of communications is of lesser importance since 
it is usually drawn from a finite set of messages, in the domain of cryptographic protocols 
messages are defined by expressive languages that at least include cryptographic primitives. 
Whereas message content is richer, the communication pattern is somewhat simpler since 
security protocols are always of finite length, which is why MSCs rather than MSGs are 
used. However one has to be very precise about the way an agent processes its messages 
(which parts of a message should be extracted and checked by an agent and how an answer 
should be computed). This is why MSCs are annotated or enriched with mechanisms that 
express the internal actions to be performed by the agents. This gives raise to different 
flavors of formalisms (Figure |3] gives three samples of such languages: for more examples 
and a list of references see |ICR10| ). These global specifications are then used to verify 
security properties and, in some cases, to generate specifications for the roles composing 
them. Local specifications are much finer-grained and lower-level than those used in the 
automata approach. The details of internal executions of each agent are exposed and pre- 
cisely defined since the overlook of small details may lead to dramatic fiaws. This explains 
why the palette of languages used to describe the local behavior appears to be more var- 
iegated than in the previous area: the pioneering work on compilation by Carlsen [Car 94] 
compiles protocol narrations into a modal logic of communication; the system Casper pro- 
duces CSP descriptions of protocols that are suitable to be model-checked |Low98) while 
CAPSL |MD02| and CASRUL |JRVOO| translate global specifications of protocols, such as 
those given in Figure [3] (HLPSL is the protocol specification language used by CASRUL), 
into rewriting systems; in |CVB06| MSCs are interpreted into systems of pattern matching 
spi-calculus processes |AG99| IHJ06| . Recent work has shown that most of the annotation 
and extensions of MSCs aimed at describing internal computations, can be computed au- 
tomatically from the protocol narration, and thus compile lightly annotated MSCs into an 
operational semantics that describes the necessary internal actions |CR10| . 

The degree of detail about local behavior present both in global and local specification 
languages is not the only difference with the previous automata based approach. The other 
fundamental difference is the dynamism of the scenarios that both compilation and analysis 
must account for. Each role is not necessarily implemented by a single agent or process 
but the concurrent presence of several agents that interpret the same role must be allowed 
in the system. The system may include intruder agents that are not described by the 
global specification and that may interfere with it; in particular, they may intercept, read, 
destroy and forge messages and, more generally, change the topology of the communications. 
Furthermore different executions of the protocol may be not independent as attackers can 
store and detour information in one execution to use it in a later one. 

In this context the works closest to our approach are |MK08| and |BCD^09| . McCarthy 
and Krishnamurthi |MK08| describe WPPL, a global description language which besides the 
basic communication action of MSCs provides actions for role definition and trust manage- 
ment. WPPL specifications are then projected in local behaviors defined in CPPL, a domain 
specific language that describes cryptographic protocol roles with trust annotations. In their 
work they give a nice comparison of their approach with the one used in Web services that 
we describe next. In particular, cryptography introduces information asymmetries {e.g., 
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Figure 3: Kao Chow protocol in WPPL, HLPSL and CAPSL (clockwise from top). 

because of the presence of an intruder the message received by a role may be different from 
the one that was sent to it, or a encrypted message can be received only if the partner has 
the corresponding key) that are not handled by existing end-point projection systems. In a 
nutshell, in Web services global description formalisms as well as in the automata approach 
the focus is on communication patterns and the communication content is neglected, while 
in the realm of cryptographic protocols it is the combination of the two that really matters. 
Bhargavan et al. describe in |BCD"'"09| a compiler from high-level multi-party session 
descriptions to custom cryptographic protocols coded as ML modules. In the generated 
code each participant has strong security guarantees for all her/his messages against any 
adversary that may control both the network and some participants to the session. 



7.3. Web services. Our work springs from the research done to formally describe and 
verify compositions of Web services. This research has mainly centered on using process 
algebras to describe and verify visible local behavior of services and just recently (all the 
references date of the last five years) has started to consider global choreographic descriptions 
of multiple services and the problem of their projection. This yielded the three layered 
structure depicted in Figure U] (courtesy of P.-M. Denielou) where a global type describing 
the choreography is projected into a set of session types that are then used to type-check the 
processes that implement it (as well as guide their implementation). The study thus focuses 
on defining the relation between the different layers. Implementability is the relation between 
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Projection 



Type checking 




Global Type 



Session Types Tbob 



Processes M 



bob 



alice — > bob; 
bob — > carol 



alice?nai. 
Carolina^, 
end 



receive x from alice; 
send x+42 to carol; 
end 



Figure 4: Global types and multi-party sessions in a nutshell. 



the first and second layer. Here the important properties are that projection produces 
systems that are sound and complete with respect to the global description (in the sense 
stated by Theorem 14. ip and deadlock free {e.g., we rule out specifications such as p — > 
q V p — ;► r when it has no continuation, since whatever the choice either q or r will be 
stuck). Typeability is the relation between the second and third layer. Here the important 
properties are subject reduction (well-typed processes reduce only to well-typed processes) 
and progress (which in this context implies deadlock freedom). 

Although in this work we disregarded the lower layer of processes, it is nevertheless an 
essential component of this research. In particular, it explains the nature of the messages 
that characterize this approach, which are types. One of the principal aims of this research, 
thus, is to find the right level of abstraction that must be expressed by types and session 
types. Consider again Figure |4l The process layer clearly shows the relation between the 
message received by bob and the one it sends to carol, but this relation (actually, any 
relation) is abstracted away both in the session and the global type layers. The level of 
abstraction is greater than that of cryptographic protocols since values are not tracked by 
global descriptions. Although tracking of values could be partially recovered by resorting 
to singleton types, there is a particular class of values that deserves special care and whose 
handling is one of the main future challenges of this research, that is, channels. The goal 
is to include higher order types in global specifications thus enabling the transmission of 
session channels and therefore the reification of dynamic reconfiguration of session topol- 
ogy. We thus aim at defining reconfiguration in the specification itself, as opposed to the 
case of cryptographic protocols where the reconfiguration of the communication topology 
is considered at meta-level for verification purposes. As a matter of fact, this feature has 
already been studied in the literature. For instance, the extension of WS-CDL |WSC05j 
with channel passing is studied in |CZ08] (as the automata approach has the MSC as their 
reference standard, so the Web service community refers to the WS-CDL standard whose 
implement ability has been studied in |QZCY07| ); the paper that first introduced a global 
calculus for session types |CHY07| explicitly mentions channels in messages that can be sent 
to other participants to open new sessions on them. In our opinion the existing works on 
session types are deeply syntactic in nature, in the sense that the operators in global types 
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have been conceived as syntactic adaptations of the corresponding ones in session types. As 
a consequence, these operators do not always have a clear semantic justification. Here we 
preferred to take a step back and to start by defining global descriptions whose restrictions 
are semantically justified. So we favored a less rich language with few semantically justified 
features and leave the addition of more advanced features for a later time. 

Coming back to the comparison of the three approaches, the Web service-oriented ap- 
proach shares several features in common with the other two. As for the automata approach 
we (in the sense of the Web service community) focus on the expressiveness of the control, the 
possibility of branching and iteration, and the effective implementability into deadlock-free 
local descriptions. However the tendency for Web services is to impose syntactic restrictions 
from the beginning rather than study the general case and then devise appropriate restric- 
tions with the sought properties (in this respect our work and those of Bravetti, Zavattaro 
and Lanese |BZ07| IBZ081 IBLZ08| are few exceptions in the panorama of the Web service 
approach). Commonalities with the cryptographic protocol approach are more technical. In 
particular we share the dynamism of the communication topology (with the caveat about 
whether this dynamism is performed at the linguistic or meta-linguistic level) and the ro- 
bustness with respect to reconfiguration (the projected session types should ensure that well- 
typed process will be deadlock free even in the presence of multiple interleaved sessions and 
session delegation, though few works actually enforce this property [BCD^08[ IDCdLY08| ). 
As for cryptographic protocols, this dynamism is also accounted at level of participants since 
recent work in session types studies global descriptions of roles that can then be implemented 
by several different agents [DYllj . Finally, we take into account the internal behavior of 
processes (similarly to what happens for cryptographic protocols) without giving a precise 
specification of it but using precise enough (session) types to prevent any possible internal 
behavior to disrupt the properties of systems. There are also some characteristics that are 
specific to our approach such as the exploration of new linguistic features (for instance in 
this work we introduced actions with multi-senders) and a pervasive use of compositional 
deduction systems that we inherit from type theory. We conclude this section with a more 
in-depth description of the main references in this specific area so as to give a more detailed 
comparison with our work. 

7.3.1. Multi-party global types. Global types were introduced in |HYC08j for multi-party 
sessions, while [CHY07J describes a global calculus for dyadic sessions. Channels are present 
in both |CHY07| and |HYC08| . However the language of [ CHY07| includes control structures 
and messages of complex form, since it was intended to be an executable language to describe 
Web-service interactions and, as such, it is directly projected into a language of processes. 
Thus it lacks the intermediate layer of Figure U which is bypassed by providing a more 
concrete upper layer. The three-layered structure of Figure H] faithfully describes the work 
in |HYC08| which, nevertheless, presents several differences with the work presented here. 
In the syntax of our work, the global types of |HYC08| can essentially be described by the 
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following grammar: 

^ ::= end (end) 

k(a) ,, . , 

I p —-^ q.W (interaction) 

I ^ V ^ (branching) 

I ^ A ^ (parallel) 

I X (variable) 

I /uX.^ (recursion) 

In a nutshell, sequencing is replaced by prefix actions (terminated by "end"), labels are 
decorated by channels (ranged over by k), and general ^-recursive definitions replace the 
(less expressive) Kleene star. Session types (called "local types" in |HYC08| ) are even more 
similar to those presented here, the only difference being that input/output actions, which 
have the form kla.T and kla.T, specify channel names rather than participant names. 

While the syntactic differences are minimal, it is not so for semantic ones. A first 
important difference is that the global types of |HYC08| must satisfy several restrictions: 

(1) The set of participants of two global types composed in parallel must be disjoint. While 
this restriction clearly simplifies the algorithmic projection (the projection of of l^i A §^2 
reduces to the projection of §^i;1^2, c/. Section [5.3p . it rules out simple protocols such 
as (jl.ip . the very first we presented in this work. 

(2) The first actions of global types composed by branching must specify the same channel, 
the same sender, the same receiver, and distinct messages (actually, labels). Furthermore 
every participant that is neither the first sender nor the first receiver must behave 
the same in all branches. The use of the same channel and, to a lesser extent, of 
the same senders and receivers for branching is a consequence of having adopted the 
original syntax of labeled branching used in the session types of |HVK98| . This first 
restriction forces the adoption of the second one: since session type communication 
specifies channels rather than participants, and since the channel is the same in all 
branches, then the only way for the (unique) receiver to distinguish the branches is to 
receive distinct messages on each of them. These restrictions, of syntactic origin, are 
more constraining than ours which just require the presence of a single "decision maker". 
The restriction for "passive" participants to have the same behavior in all branches is a 
quite coarse condition to enforce what in our system is called "mergeability" (a similar 
notion of merge was already introduced in [YDBHl^ IDY11| ) . 

The syntax of global types in |HYC08] is more constraining than ours and the semantics 

... . . ,., k{a) k'{b) 

of sequential composition is weaker. J^or example, two interactions like p ^-4 q.r ——> s.end 
are required to happen in the same order as they occur in the global types only if k and k' are 
the same channel. Thus iik ^ k' the participants p, q, r, and s can be unrelated. The reason 
of such a choice is, once more, due to the fact that global types are designed in function of 
the session types as defined by |HVK98J where different channels are typed independently 
and, thus, sequentiality constraints can be enforced only between communications on a same 
channel. It is interesting to notice that the situation is somehow dual to the one presented 
here. While we demand the sequentiality of « ; » be strictly enforced, we accept any order 
on actions composed in parallel by a « A ». In |HYC08] instead, while actions composed in 
parallel are forced to be independent (by demanding disjoint participants), any order of the 
"sequential" composition is accepted as long as it happens on distinct channels. 

In order to appreciate the usage of global types of |HYC08| and their projection let us 
revisit the paradigmatic example given in |HYC08j . according to which two buyers, buyer 1 
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and buyer2, wish to collaborate to buy an item from a seller seller: buyerl asks the 
item to seller, which sends a price to both buyers; buyerl communicates to buyer2 its 
participation and buyer2 decides either to quit (by sending quit to seller) or to accept the 
price by communicating ok and the delivery address to the seller, and expecting a delivery 
date. This compound protocol is expressed as the following global type: 

h{string) 

buyerl > seller. 

k{int) 

seller > buyerl. 

fc'(mi) 

seller )■ buyer 2. f7 -\\ 

l{int) \' -^J 

buyerl > buyer2. 

, h{qmt) , 

(buyer2 > seller. end) 

, h{ok) h{string) k' {date) , 

V(buyer2 > seller. buyer2 )• seller. seller > buyer2.end) 

Notice that in the final branching of the protocol each action starting a branch is a commu- 
nication from buyer2 to seller on the same channel h of two different labels ok and quit 
(strictly speaking, two singleton types whose only value is, respectively, ok and quit). As 
expected the above global type is projected into 

seller i— )• h? string. k\int.k'\int.{h7 quit. end + h? ok. h? string. k'ldate.end) 

buyerl i— > hlstring.k?int.Uint.end 

buyer2 i— > k'lint.P.int.{h\quit.end +h\ok.h\ string. k'ldate.end) 

Notice how participants are replaced by channels. In particular this implies that buyer2 
can distinguish the receptions from seller and buyerl because they happen on distinct 
channels. Thus, in a sense, explicit channels play the same role of explicit participants in 
session types, except that the presence of channels makes global type analysis more difficult. 
This explains why such a feature has been abandoned in |DY11) (the latest follow up of the 
multi-party sessions work) where global types no longer specify channels and session types 
use participants instead of channels (see later on) . 

We said that |HYC08| enforces sequentiality only on a per channel basis. Concretely, 
this means that for every projection the interactions on h in the first and fifth or sixth 
lines of the protocol in (17. ip must happen in the same relative order as they appear in the 
global types, and the same must hold for interactions on k' in the third and sixth lines. A 
rough way to ensure this property would be to prune all actions that are not on a given 
channel and then impose a well-formedness condition akin to the one we introduced in 
Definition 14.21 In [HYCOSj much a finer-grained technique is used: it performs a global 
analysis of the dependency relation of a global type and ensures sequentiality on a given 
channel by exploiting synchronization information on interactions occurring also on different 
channels. In |CHY07| a stricter condition (dubbed "well-threadedness") is described for 
dyadic sessions, and it enforces a sequentiality condition similar to our well-formedness. 

Finally, we already saw that messages in the global types of |HYC08) can be either types 

(to describe value of the communication) or labels (to perform branching), but they can also 

be channels such as in 

l(k) 
■ ■ ■ .buyerl — > buyer2. • • • , 

which allows global types to describe delegation. Delegation was introduced in |HYC08) 
for multi-party sessions and is directly inherited from the homonym feature of dyadic ses- 
sions [HVK98J. A participant can delegate another agent to play his role in a session in a 
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way that is transparent for all the remaining participants of the session. In the example 
above buyerl delegates to buyer2 the task to continue the conversation with seller on k. 
By allowing higher-order channels, the concrete topology of communications may dynami- 
cally evolve. To ensure projectability in the presence of such a feature, further restrictions 
are required |HYC08] . 

If we focus on semantically justified restrictions, the presence of channels requires types 
to be "well-threaded" (to avoid that the use of different channels disrupts the sequentiality 
constraints of the specification) and message structures to be used "coherently" in different 
threads (to assure that a fixed server offers the same services to different clients) , as discussed 
in |CHY07j . We did not include such features in our treatment since we wanted to study the 
problems of sequentiality (which yielded Definition 14.21 of well-formed global type) and of 
coherence (which is embodied by the subsession relation whose algorithmic counterpart is the 
merge operator) in the simplest possible setting (a single multi-party session) without further 
complexity induced by extra features. As a consequence of this choice, our merge between 
session types is a generalization of the merge in |YDBH1^ IDYll) since we allow inputs 
from different senders (this is the reason why our compatibility is more demanding than 
the corresponding notion in |YDBH10| ). Since our framework does not include channels, we 
naturally disregarded any issue arising from delegation. 

Our crusade for simplification did not restrict itself to exclude features that seemed 
inessential or too syntax dependent, but it also used simpler forms of existing constructs. 
In particular an important design choice was to use Kleene star instead of more expressive 
recursive global types used in [HYC08|IDY11| . As an example, the global type describing an 
arbitrary long interaction between participants p and q that p may terminate at any time 
can be described as 



in our calculus and as 



(p — ^ q) ; p — ^ q 



/xA.(p ^-4 q.X V p — > q.endj 



in |HYC08) . The main advantage of the star over recursion is that it gives us a fair imple- 
mentation of the projected specification almost for free. Fairness seems to us an important 
— though mostly neglected by current literature — requirement for (multi-party) sessions. 
In particular, it allows us to develop a theory where multi-party sessions preserve a stronger 
liveness property, namely the potential to successfully terminate (termination under fairness 
assumption). A direct consequence of our choice is that we are capable of projecting global 
types where the progress of some participants crucially relies on the eventual termination of 
arbitrarily long interactions involving other participants. For example, the global type 

(p — > q) ; p — ^ q; q — >^ 

is projectable in our theory but its correspondent 

//X.(p — > q.X V p — > q.q — > r.end) 

is not in |HYC08| . The point is that participant r is waiting for a c message that will be sent 
only if p stops sending a messages to q. This is guaranteed in our theory but not in |HYC08) 
where, in principle, p may send a messages to q forever. 

In general recursion is more expressive than iteration. For example, we cannot express 
non-terminating interactions such as /iX.p — > q.X. In the present work we regard this 
global type as wrong and take the point of view that a session eventually terminates, although 
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there can be no upper bound to its duration. Recursion is more flexible when it comes to 
specifying iterations with multiple exit paths. For example, the global type 

^^ I handover , handover -.^ , , bailout w , , bailout ,\ 

IJ-X.yp — > q.(q — > p.A V q — > p.endjVp — )■ q.end) 

is a straightforward modeling of the global type that requires 2-exit iteration to be projected 
in our framework (Section [6]). 

The exploration of a whole palette of different paradigms for global and local types and 
of variations thereof is another element that distinguishes the research done in the Web ser- 
vice communities from that in other communities. In particular, the Web service community 
does not hesitate to borrow features from other communities and, in this respect, a remark- 
able work is the one on dynamic multirole session types by Denielou and Yoshida |DY11| . 
Consider again the very first example (jl.ip of the introduction. It consists of just a single 
seller and a single buyer. While it seems reasonable to describe the protocol for a particular 
seller, it is restrictive to think that it will handle just one buyer at the time. The idea is 
that the seller will interact with a variable number of buyers, all implementing the same 
protocol, that will dynamically join and leave the session. Mutatis mutandis, Denielou and 
Yoshida propose to describe the protocol as follows: 

W V, ( -i-i d,escr price , 

vx : buyer, (seller — > x A seller — > x); .„ . 

, accent quit > V • / 

[x — > seller V x — > seller) 

Here buyer no longer denotes a single participant but rather a role that can be played by 
different participants (or processes) ranged over by x. The notion of role is extensively used 
in the research on the verification of cryptographic protocols, especially at a meta-linguistic 
level. Remarkably, Denielou and Yoshida have internalized it, making it possible to precisely 
express the multi-role aspects of an interaction protocol both in global and in local types. 
Indeed, the possible projections of the global type above are: 

Vx : buyer .x\descr.x\price.{x? accept + x?quit) 

seller? descr.seller? price. (seller] accept © sellerlquit) 

and 

Vx : huyer.x\price.x\descr.{x? accept + X? quit) 

seller? price.seller?descr. (seller] accept sellerlquit) 
Note that session types use participants instead of channels (global types such as (17. 2p no 
longer specify channels). This yields projections that, apart from the quantifications in 
seller, are the same as those we gave in the introduction for example (II. ip . Denielou and 
Yoshida develop a theory that ensures communication safety (received messages are of the 
expected type) and progress (communications do not get stuck) of sessions in the presence 
of dynamically joining and leaving participants. 

Finally, although we aimed at simplifying as much as possible, we still imposed a few 
restrictions that seemed unavoidable. Foremost, the sequentiality condition of Section HI 
any two actions that are bound by a semicolon must always appear in the same order in 
all traces of (sound and complete) implementations. Surprisingly, in all current literature of 
multi-party session types we are aware of, just one work [CHY07J enforces the sequential se- 
mantics of « ; ». In |CHY07| the sequentiality condition, called connectedness, is introduced 
(albeit in a simplified setting since — as in |HVK98l IHYC08| — instead of sequential compo- 
sition the authors consider the simpler case of prefixed actions) and identified as one of three 
basic principles for global descriptions under which a sound and complete implementation 
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can be defined. All other (even later) works admit to project, say, q — > p; r — > p in im- 
plementations in which p receives from r before having received from q. While the technical 
interest of relaxing the sequentiality constraint in the interpretation of the « ; » operator is 
clear — it greatly simplifies projectability — we really cannot see any semantically plausible 
reason to do it. 

Our simpler setting allows us to give a semantic justification of the formalism and of 
the restrictions and the operators we introduced in it. For these reasons many restrictions 
that are present in other formalisms are pointless in our framework. For instance, two global 
types whose actions can be interleaved in an arbitrary way {i.e., composed by «A» in our 
calculus) can share common participants in our global types, while in |HYC08| (which use 
the parallel operator for «A») this is forbidden. So these works fail to project (actually, 
they reject) protocols as simple as the first line of the example given in the specification 
(jl.ip in the introduction. Likewise we can have different receiver participants in a choice 
like, for example, the case in which two cooperating buyers wait for a price from a given 
seller: 

price price price price 

seller — > buyerl; buyerl — t- buyer2 V seller — > Duyer2; Duyer2 — ;► buyerl 

while such a situation is forbidden in |HYC08j . 

Another situation possible in our setting but forbidden in |HYC08l IDY11| is to have 
different sets of participants for alternatives, such as in the following case where a buyer 
is notified about a price by the broker or directly by the seller, but in both cases gives an 
answer to the broker: 



agency price price , 

seller — > broker; broker — >^buyer V seller — ^buyer); 



answer 



(7.3) 



(7.4) 



buyer — > broker 
A similar situation may arise when choosing between repeating or exiting a loop: 

agency , °B^T -u v, counteroffer . 

seller — > broker; (broker — !• buyer;buyer — > broker) ; 

(broker — > seller A broker — > buyer) 

which is again forbidden in [HYCOSt IDYll] . Note that the interaction following « ; » in (j7.3p 
can be distributed on the two branches, yielding the global type 

agency price answer , , 

seller — > broker; broker — j- buyer; buyer — > broker 

price answer , 

V seller — > buyer; buyer — > broker 

where the two branches involve exactly the same set of participants. This form is com- 
patible with respect to the notion of projection in |HYC08| IDYll] . However, the same 
transformation is not possible for (17. 4p because in this case projectability relies on the fair- 
ness assumption. Indeed while we can consider a Kleene star as an infinite union of finite 
branches and thus, semantically, add the continuation to each of these branches, the finite- 
ness of each branch is guaranteed in our framework but not in |HYC08| IDYll) . 

7.3.2. Choreographies. Global types can be seen as choreographies |WSC05J describing the 
interaction of some distributed processes connected through a private multi-party session. 
Therefore, there is a close relationship between our work and those by Zavattaro and his 
colleagues [ BZ071 ILGMZOSl IBZ08| IBLZ08| . which concern the projection of choreographies 
into the contracts of their participants. The choreography language in these works coincides 



ON GLOBAL TYPES AND MULTI-PARTY SESSIONS 35 



with our language of global types (including the use of iteration instead of recursion). Basi- 
cally, the only difference at syntactic level is that interactions have the form a^^q instead of 
p — > q. Just like in our case, a choreography is correct if it preserves the possibility to reach 
a state where all of the involved Web services have successfully terminated. There are some 
relevant differences though, starting from choreographic interactions that invariably involve 
exactly one sender and one receiver, while in the present work we allow for multiple senders. 
Other differences concern the communication model and the projection procedure. In partic- 
ular, the communication model is synchronous in |BZ07| . based on FIFO buffers associated 
with each participant of a choreography in |BZ08| . and partially asynchronous in [BLZOSJ 
(output actions can fire, and thus drive the choice of an internal choice, also in the ab- 
sence of a dual active receiving action, but their continuation is blocked until the message is 
consumed by the receiver). Our model (Section [3]) closely follows the ones adopted for multi- 
party sessions, where there is a single buffer and we consider the possibility for a receiver to 
specify the participant from which a message is expected. In j BZ07| [LGMZ08| IBZ08| IBLZ08) 
the projection procedure is basically an homomorphism from choreographies to the behavior 
of their participants, which is described by a contract language equipped with parallel com- 
position, while our session types are purely sequential. |BZ07t IBZ08| give no conditions to 
establish which choreographies produce correct projections. In contrast, [BLZ081 ILGMZ08] 
define three connectedness conditions that guarantee correctness of the projection for various 
(synchronous and asynchronous) semantics. The interesting aspect is that these conditions 
are solely stated on the syntax of the choreography, while we need the combination of pro- 
jectability (Tabled and well-formedness (Definition 14. 2p . Depending on the communication 
semantics, which can be synchronous or asynchronous in [BLZOSl ILGMZ08] . the connect- 
edness conditions may impose different constraints if compared to our well-formedness. For 
example, the choreography 

a b 

p — »q;j^ — ^p 

is connected for sequence according to |BLZ08| but is not well formed according to Defini- 
tion 14.21 This is a consequence of the different communication models adopted in |BLZ08) 
and in the present work. In |BLZ08| it is not possible for p to receive the b message from 
r before q has received the a message from p because p will block on the output of a until 
q receives the message. In our model, output messages are inserted within the buffer as- 
sociated with the session, so the sender can immediately proceed. This corresponds to the 
receiver semantics in [LGMZ08] . 

The connectedness conditions for alternative choreographies in |BLZ08| ILGMZ08| im- 
pose stricter constraints since they require that the roles in both branches be the same. 
Therefore, the two global types involving the broker participant described by examples (j7.3p 
and (|7.4p are not connected. Additionally, the fact that these conditions are stated by look- 
ing at the syntax of choreographies may discriminate between equivalent choreographies. 
For example, the choreographies 

(p — > q A r — > s) V (p — > q A r — > s) and p — > q A (r — > s V r — > s) 

are equivalent (they generate the same set of traces), but only the second one is connected. 
In the first one, the fact that both branches emit actions where the sender can be either p 
or r seems to suggest the absence of a decision maker, while in fact there is one (r). Our 
definition of well-formedness, being based on the set of traces generated by a global type 
rather than its syntax, does not distinguish between the two choreographies. As we have 
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shown, a careful projection procedure does not need these requirements for the projection 
to respect the choreography. 

In |BZ07| the projection of choreographies with iteration is taken into account and 
in |LGMZ08] it is argued that the connected conditions scale without problems to this 
more general scenario. The authors do not address the limited expressiveness of single- 
exit iterations. For example, the first global type at the beginning of Section [6] yields a 
deadlocking projection also for |BZ07| . Given the similarities between choreographies and 
global types it is reasonable to expect that the adoption of A;-exit iterations might resolve 
the issue in their setting as well. 

While discussing MSGs we argued that requiring the specification and its projection 
produce the same set of traces (called standard implementation in [GM_P03J) seemed overly 
constraining and advocated a more flexible solution such as the deflnitions of soundness and 
completeness introduced in the present work. Interestingly, Bravetti, Lanese and Zavat- 
taro [BLZOSj take the opposite viewpoint, and make this relation even stricter by requiring 
the relation between a choreography and its projection to be a strong bisimulation. 

The problem of analyzing choreographies and characterizing their properties has been 
addressed also by the community studying multiagent systems. In particular, Baldoni et 
al. [ BBC"'"09| propose a notion of interoperable choreography which basically coincides with 
our notion of liveness: the interaction between the parties must preserve the ability to reach 
a state in which every party has successfully completed its task. Interoperability induces 
a notion of conformance between parties that is similar to our implementation pre-order 
and to other refinement relations. The main difference with respect to our work and those 



cited above is that in |BBC"'"09 a choreography is directly represented as the composition 
of its participants and their behavior is described by means of finite-state automata rather 
than terms of a process algebra. It appears that the techniques of choreography projection 
described in the present paper can be easily adapted to the context of [BBC'''09j and that 
multiagent systems might provide an additional playground to further explore and validate 
the whole approach. 

7.3.3. Other calculi. In this brief overview we focused on works that study the relation be- 
tween global specifications and local machine-oriented implementations. However in the 
literature there is an important effort to devise new description paradigms for either global 
descriptions or local descriptions. In the latter category we wish to cite ^HVK98| IBBDNL08| . 
while |CP09| seems a natural candidate in which to project an eventual higher order exten- 
sion of our global types. For what concerns global descriptions, the Conversation Calculus 
|CV09| stands out for the originality of its approach. 

8. Conclusion 

We think that the design- by-contract approach advocated in |CHY071 IHYC08| and expanded 
in later works is a very reasonable way to implement distributed systems that are correct by 
construction. In this work we have presented a theory of global types in an attempt of better 
understanding their properties and their relationship with multi-party session types. We 
summarize the results of our investigations in the remaining few lines. First of all, we have 
defined a proper algebra of global types whose operators have a clear meaning. In particular, 
we distinguish between sequential composition, which models a strictly sequential execution 
of interactions, and unconstrained composition, which allows the designer to underspecify 
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the order of possibly dependent interactions. The semantics of global types is expressed in 
terms of regular languages. Aside from providing an accessible intuition on the behavior of 
the system being specified, the most significant consequence is to induce a fair theory of 
multi-party session types where correct sessions preserve the ability to reach a state in which 
all the participants have successfully terminated. This property is stronger than the usual 
progress property within the same session that is guaranteed in other works. We claim that 
eventual termination is both desirable in practice and also technically convenient, because it 
allows us to easily express the fact that every participant of a session makes progress (this is 
non-trivial, especially in an asynchronous setting). We have defined two projection methods 
from global to session types, a semantic and an algorithmic one. The former allows us to 
reason about which are the global types that can be projected, the latter about how these 
types are projected. This allowed us to define three classes of fiawed global types and to 
suggest if and how they can be amended. Most notably, we have characterized the absence 
of sequentiality solely in terms of the traces of global types, while we have not been able to 
provide similar trace-based characterizations for the other fiaws. Finally, we have defined a 
notion of completeness relating a global type and its implementation which is original to the 
best of our knowledge. In other theories we are aware of, this property is either completely 
neglected or it is stricter, by requiring the equivalence between the traces of the global type 
and those of the corresponding implementation. 
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Appendix A. Proof of Theorem 14.11 
For the sake of readability we recall some definitions which will be largely used. 
Definition A.l. 

def 

(1) L° = {ai ■ ■ ■ On I there exists a permutation a such that ao-(i) • • • ct^fn) € L}. 

(2) L"^ is the smallest well- formed set such that L C L*. 

The properties stated in the following lemma are easily shown from Definitions IA.H I 4. II 
and 13. 



Lemma A.l. The following properties hold: 

(1) iLiUL2)* = L*UL*. 

(2) (LiL#)# = (LiL2)#. 

(3) (LiL°)# C (LiL2)°. 

(4) L* C L° implies LI C L°. 

(5) // Li ^ L2 then 

(a) -L2 ^ Ls implies Li ^ L3; 

(b) L3 ^ (L4L1)* implies L3 ^ (^4^2)*; 
fcj L3 ^ (L1L4)* implies L3 ^ (^2^4)*; 
f'dj L3 ^ L4 implies Li U L3 ^ L2 U L4. 

(6) tr({p : Ti r2} W A) = tr({p : Ti} W A) U tr({p : T2} W A). 



Proof of Theorem \4-l\ We show: 

//Ah 5^ A', i/ientr(A') ^ (tr(^)tr(A))#. 

The theorem follows immediately, since by definition if ^ is well formed, then tr(^) = 
tr(^)#. 

The proof is by induction on the deduction of A h ^ > A' and by cases on the last 
applied rule. 

Rule (SP-Skip): A h skip A Immediate. 

Rule (SP- Action): 

{pi : Tiji^j W {p : T} W A h ^ ^ p > {p, : pla.Tjie/ W {p : vrTa.T} W A 
where tt = {pj | i € /}. We get tr(7r — > p) = {vr — > p} by definition, and 

tr({p, : pla.Tjie/ W {p : vrTa.T} W A) C {{tt ^ p}tr({p, : Tjig/ W {p : T} W A))# 
since all actions not involving p commute with vr — > p, and 

{{it -^ p}tr({p, : Tjie/ W {p : T} W A))# C tr({pi : pla.Tij.e, W {p : vrTa.T} W A)° 

by Definition lA.il 

A h ?^2 A' A' h ^1 A" 

Rule (SP-Sequence): — j-. 

^ ^ Ah^i;^2 > A" 

By induction tr(A") ^ (tr(^i)tr(A'))# and tr(A') ^ (tr(^2)tr(A))#, which imply 

• tr(A") ^ (tr(§fi)(tr(^2)tr(A))#)# by Lemma 1X31113) ; 

• tr(A") ^ (tr(Sfi)tr(^2)tr(A))# by Lemma [A31I2]) ; 
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• tr(A") ^ (tr(§fi;§f2)tr(A))# by Definition O 

Rule (SP- Alternative : ^^ , \ , ^ , ^ 

By induction tr({p : TJ W A') ^ (tr(^i)tr(A))# and tr({p : T2} W A') «; (tr(^2)tr(A))#, 
which imply 

• tr({p : ri}aA')Utr({p : T2}aA') ^ (tr(^i)tr(A))# U (tr(^2)tr(A))# by Lemma [AHIMI) ; 

• tr({p : Ti} ttl A') U tr({p : T2} W A') ^ (tr(5^i)tr(A) U tr(5^2)tr(A))# by Lemma EIIIID ; 

• tr({p : Ti T2} tt) A') ^ (tr(^i)tr(A) U tr(^2)tr(A))# by Lemma [ATtl6]) ; 

• tr({p : Ti e T2} tt) A') ^ (tr(^i V ^2)tr(A))# by Definition O 

^ {p : Ti © r2| tt) A h ^ {p : Til tt) A 

Rule SP-lTERATION : ^ -^—— — ^ 

^ ^ {p:T2}aAh^* > {p:ri©r2}WA 

By induction tr({p : Ti} td A) < (tr(^)tr({p : Ti © T2} td A))#, i.e.: 

1. tr({p : Ti} a A) C (tr(^)tr({p : Ti © T2} W A))# 

2. (tr(^)tr({p : Ti © T2} W A))# C tr({p : TJ W A)°. 
Notice that by Definition 12.21 and Lemma |A.1I |T|): 

(tr(^*)tr({p : T2} W A))# = |J (tr(^'")tr({p : T2} W A))# 

m>0 

We get: 

tr({p:ri©r2}aA) 

= tr({p : Ti} tt) A) U tr({p : T2} tt) A) by Lemma[All|6]) 

C (tr(^)tr({p : Ti © T2} W A))# U tr({p : T2} W A) by L 

= (tr(^)(tr({p : Ti} tt) A) U tr({p : T2} tt) A))# U tr({p : T2} td A) by LemmalA!]© 
= (tr(?f )tr({p : Ti} W A))# U (tr(^)tr({p : T2} W A))# U tr({p : T2} W A) 

by Lemma lA.lllT]) 
C (tr(^)(tr(^)tr({p : Ti © T2} W A))#)# U (tr(^)tr({p : T2} W A))# U tr({p : T2} W A) 

by 1. 
= (tr(^)tr(^)tr({p : Ti © T2} W A))# U (tr(5^)tr({p : T2} td A))# U tr({p : T2} W A) 

by Lemma [A31I2]) 
= (tr(^2)t^(|p . j.^ ^ j.^} a A))# U (tr(^)tr({p : T2} W A))# U tr({p : T2} W A) 

by Definition [22] 
and then by iterating: 

tr({p : Ti © T2} W A) 

C (tr(^™+i)tr({p : Ti © T2} W A))# U (tr(^™)tr({p : T2} W A))#U 
. . . U (tr(^)tr({p : T2} W A))# U tr({p : T2} td A) 
C (tr(^*)tr({p:r2}WA))#. 

We show by induction on m that (tr(5^™+i)tr({p : r2}tt)A))# C (tr({p : Ti ©r2}tt)A))°. 
For m = 0: 
(tr({p : r2} tt) A))# C (tr({p : Ti © r2} tt) A))# by Lemma[XH|6]) and Definition ET]|2]) 
C (tr({p : Ti © r2} tt) A))° by Definition EH 
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For 771 + 1 : 
(tr(^™+i)tr({p:r2}WA))# 



= (tr(^)tr(^™)tr({p : T2} W A))# 

C (tr(^)(tr({p:rier2}aA))°)# 

C (tr(^)tr({p:TieT2}WA))° 

C (tr({p:Ti}aA))° 

C (tr({p:Tier2}WA))° 



by Definition O 

by induction 

by Lemma IA.II I3I) 

by 2. and Lemma EUg]) 

by Lemma lA.ll lHl). 



Rule (SP-Subsumption): 



Ah^' t> A' 



?'€ 



A" ^ A' 



Ah 5^ A" 

By induction tr(A') ^ (tr(^')tr(A))#, so by Lemma |A3]|5a]) tr(A") ^ (tr(5^')tr(A))#. From 
^' ^ ^ we conclude tr(A") ^ (tr(^)tr(A))# by Lemma [AU|5c|) and dSaj). Q 

Corollary A.l. If A is live and A\- W > A', then A' is live. 



Appendix B. More on merge and compatibility 

We start with an example showing the utility of the compatibility condition. Let A^ = 
{q : p?a.r!&.end,r : q?5.end} and A2 = {q : p?c.p!(i.r!6.end,r : p?e.q?6.end}. The merge of 
Ai and A2 is undefined, since the session types of r in Ai and A2 are not compatible: the 
problem is that the input q?6 is not compatible with the session type p?e.q?6.end. Let A 
be the session obtained by adding role p with the expected session type to the merge of Ai 
and A2 (ignoring the compatibility condition), that is, A = {p : qia.end ©q!c.q?d.r!e.end,q : 
p?a.r!5.end + p?c.p!(i.r!6.end,r : q?6.end + p?e.q?6.end}. Starting from the empty buffer and 
A we can reach the stuck configuration in which the buffer contains the action p — > r and 

c d 

all roles in the session are typed by end. More precisely if ip = p — > q; q — > p: 

e 5 A =^ q — > r :: p — > r 5 {p : end, q : end, r : q?&.end + p?e.q?6.end} 

b 

=^ p — > r 5 {p : end, q : end, r : end} 

i.e., participant r chooses the wrong session type, since he is not aware in which branch 
he is. Notice that Ai 1+) {p : qia.end} and A2 tt) {p : q!c.q?fi.r!e.end} can be obtained as 

algorithmic projections of the well- formed global types l#i = p — > q; q — > r and ^2 = 
p — > q; (q — > p; p — > r A q — > r), when to project ^2 we use the ill-formed global 
type p — ;• q; q — > p; p — > r; q — > r (see Subsection 15. 3|) . Using p — > q; q — > r; q — > 
p; p — > r to project '^2 and reasoning as before we get A' = {p : qia.end ©q!c.q?(i. r!e. end, q : 
p?a.r!6.end + p?c.r!6.p!(i.end,r : q?6.end + p?e.q?6.end}. Also A' is not a live session, and 
since we eliminated A from ^2 in all possible ways we see no way to semantically project 

^1 V^2- 

We can semantically but not algorithmically project a slight variation of the previous 
example. Let A3 = {q : p?c.p!(i.r?/.r!6.end,r : p?e.q!/.q?6.end}. Notice that the session 
types of r in Ai and A3 are not compatible. It is easy to verify that choosing A" = {q : 
p?a.r!6.end + p?c.p!d.r?/.r!6.end,r : q?6.end + p?e.q!/.q?6.end} we get 

{p : qia.end} tt) A" < {p : qia.end} l±) Ai and 
{p : q!c.q?d.r!e.end} l+l A" ^ {p : q!c.q?(i.r!e.end} tt) A3 
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Notice that A3 tt) {p : q!c.q?d.r!e.end} can be obtained as the algorithmic projection of the 

wen-formed global type ^3 = p — > q; q — > p;p — > r;r — > q; q — > r. Then the global 
type ^1 V ^3 can be semantically but not algorithmically projected. It is interesting to 
observe that in one branch participant r receives the message b from q, in the other branch 
participant r receives first the messages e from p and then the message b from q. This 
assures that r always chooses the right session type. Comparing ^2 and ^3 of previous 

examples one can see how the addition of the action r — > q introduces a sequentialization 
which is the key of projectability. 

Appendix C. More on the elimination of A 

We conjecture that the following rewriting rules (together with the symmetric ones) are 
necessary and sufficient in order to eliminate « A » from global types: 

^A^' ^ ^;^' (^iV^2)A^ ^ (5fi A 5f ) V (^2 A ^) 

(^i;^2)A^ ^ (^iA^);5^2 ^* A ^' ^ (^ A ^');5f* V ^' 

(^i;^2)A^ ^ ^i;(5f2A^) ^* A ^' ^ ^*; (^ A 5^') V ^' 

Sometimes « A » with stars can be dealt with using the first rule in the right way. The 

global type (p — > q)* A p — > q sequentialized as (p — > q)*;p — > 1 is algorithmically 

projected from {p : end,q : end}, while p — > q; (p — > q)* is not algorithmically projected 

from {p : end,q : end}. Vice versa the global type (p — > q)* A r — > s sequentialized as 

(p — > q)*;r — > s is not algorithmically projected from {p : q!c.end,q : p?c.end}, while 

r — > s; (p — > q)* is algorithmically projected from {p : qlc.end, q : p?c.end}. 

The following example shows the utility of the last two rewriting rules to project stars. 



Let A = {s : qi!(i.ri!d.q2!(i.r2!d.end, qi : s?d,Ti : s?d,q2 '■ s?d, r2 : s?d}, £/i = pi — > 

qi V Pi — > Ti for i = 1,2 and ^1 = {qi,ri} -^ s;i/i, ^2 = -2^2; s -% qi;s -^ ri, 

'iS = {q2, r2} — > s\s^\;s^2- The only way to eliminate « A » from (^1; ^2)* A ^ and obtain 
a global type projectable with the continuation A is [(§^i;l^;^2); (^i;^2)*] VSf. 

Appendix D. Proof of Theorem 15.11 

Lemma D.l. The following properties hold: 

(1) // {p : T} 1+) A is live, then tr({p : T} tt) A) = tr({p : T} tt) (A /A A')) for all A' such that 
A /A A' is defined. 

(2) // {p : Ti} tt) Ai and {p : Ts} tt) As are live, then {p : Ti Ts} tt) (Ai /X\ As) is live if 
defined. 

Proof. ([1]) If {p : T} tt) A is live, then each output in a session type of {p : T} tt) A has a dual 
input and therefore the addition of compatible inputs cannot change the set of traces. 

([2|) li Ai /A As is defined, then the types in Ai and A2 for the same participant can only 
differ on inputs, so no new trace can arise in {p : T} tt) (Ai /A A2) which was not already in 
{p:Ti}aAi. D 
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We use p to range over substitutions of session type variables with closed session types. 
We extend p to session types and environments in the expected way. 

Lemma D.2. If p{A) is live and A ha ^ > A', then p{A') is live. 

Proof. By induction on the derivation of A ha 1^ l> A'. We only consider interesting cases. 

^ , ,,^ , Aha^l > {piTijaAi Aha^2 > {p:T2}WA2 

For rule (AP- ALTERNATIVE) : ^ we use 

^ ^ Aha^iv^2 {p:rier2}w(AiA\A2) 

Lemma IDIMI). 



For rule (AP-Iteration): 

{p : a:} a {p^ : Xi}i^i a A ha g^ > {p : g} a {p^ : Si}i(.i a A 

{p : T} W {pi : Tiji^i iSAh.W* o {p : rec X.{T © S)} W {p, : rec X^Ti fA 5,)}ie/ « A 
we define 

po{X) = p{T) pt+i{X) = pe{S) 

PoiXi) = p{Ti) p£+i{Xi) = Pi{Si) 

po{Y) = p{Y) for Y^{X,Xi\ieI} pi+i{Y) = p{Y) for Y^{X,X,\ieI} 

for iel and i > 0. Since p{{p : T} W {pi : Tiji^i W A) = po({p : X} W {p^ : AT, jig/ W A) is 
live by hypothesis and {p : X} tt) {pi : Xi}i£i ha ^ l> {p : S} l±) {pi : Si}i£i, by induction we 
get that po({p : S} tt) {p^ : Si}i(.i t+J A) = pi{{p : X} tt) {pi : Xi}ig/ tt) A) is live. By iterating 
this argument we get the liveness of P£+i({p : X} ttl {pj : Xjjjg/ tt) A) from the liveness of 
pe{{p : X}W{pi : Xi}ie/triA) for all £ > 0. By LemmaETP {p : po{X)®- ■ ■(BpiiX)}iS{pi : 
po{Xi) /A ■ ■ ■ fA p£(Xi)}i^i tt) p(A) is live for all i > 0. By construction every finite subtree of 
rec X.{p{T © S)) is a subtree of Pq{X) ffi • • • © Pi{X) for some ^ > and every finite subtree 
of rec X.(p(rec Xi.{Ti lA Si))) is a subtree of po{Xi) /A---/A pi{Xi) for some £ > 0. We can 
conclude that p{{p : rec X.{t © S)} tt) {pi : rec Xi.{Ti /A Sijjie/ W A) is live. D 

Lemma D.3. // A h ^ > A' and tr(A") = tr(A), then A" h W > A'. 

Proof We can derive A" h skip ;> A", which imphes A" h skip A. Then A" h skip;^ t> A', 
so we conclude A" h §f > A'. □ 

Proof of Theorem \5.1[ We show 

///9(A) zs /iue and A ha ^ )> A', t/ien p(A) h ?^ l> p(A') 

by induction on the derivation of A ha ^ l> A'. 
If the last applied rule is (AP- ALTERNATIVE): 

A ha ^1 > {p : Ti} t^ Ai A ha % > {p : T2} a A2 

Aha^iV^2 > {p : Ti © r2} W (Ai /X\ A2) 

by induction p{A) h Wi > p({p : Ti} td Ai) and p{A) h ^2 > p({p : T2} tt) A2). By 
Lemma ID. 21 p({p : Ti} tt) Ai) and p({p : T2} tt) A2) are live. By Lemma ID.ll fT]) we get 
p({p : Ti} a (Ai /A A2)) ^ p({p : TJ W Ai) and p{{p : T2} W (Ai /A A2)) ^ p{{p : Ta} W A2). 
We can then derive ,9(A) h ?^i > p({p : Ti}tt)(Ai/X\A2)) and p(A) h ^2 > /o({p : T2}tt)(Ai/AA2)) 
by rule (SP-Subsumption), so we conclude p(A) h ^1 V ^2 > p({p : Ti © r2} tt) (Ai /A A2)) 
by rule (SP-Alternative). 
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Let the last applied rule be (AP-Iteration): 

{p : X} a {p^ : Xjji^i a A ha ^ > {p : 5} a {pi : Sjjjei a A 

{p : T} a {pi : r,}ie7 W A h^ ^* > A' W A 

where A' = {p : rec X.{T 5)} W {p^ : rec Xi.(r, /A 5,)}*g/. If /9({p : T} W {p^ : r,},^/ W A) 
is live, then p{A' tt) A) is live by Lemma ID.2I We define 

po{X) = pirec X.{T ® S)) 

po{Xi) = p{rec Xi.{Ti /A Si)) 

Po{Y) = p{Y) for Y^{X,X,\i el} 

Since podp : X}\S{pi : Xj}jg/I±)A) = p(A'l+lA) we get by induction p(A'l+)A) h ^ l> po({p : 
S} l±l {pi : SijiG/ ttl A). This implies that po{{p : 5} 1+) {pj : S'jjjg/ tt) A) is live by Corollary 
lAJl We define: 

T' = /,(r) i;' = p(r,) 

S" = /3o(5') 5. = po{Si) 

Ao = {p. : i;' /A ^a^G/ W p(A) 

Since p{A' W A) = {p : T' S'} W Aq and by Lemma [D31[I| {p : S'} W Aq ^ {p : S'} W {p^ : 
Sljifzj tt) /9(A) we derive {p : T' S"} tt) Aq h ^ > {p : S'} \i) Aq by rule (SP-Subsumption), 
which implies {p : T'} tt) Aq h ^* l> {p : T' S'} tt) Aq by rule (SP-Iteration) . By Lemma 
lDHfT1) tr({p : T'} tt) Aq) = tr({p : T'} tt) {pj : T;'}jg/ td p(A)), so we conclude by Lemma El 
{p : T'} W {pi : TD^ei W p(A) h ^* > p(A' W A). D 
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